ISSN 1816-353X (Print) Vol. 21, No. 1 (Jan. 2019) ISSN 1816-3548 (Online)

INTERNATIONAL JOURNAL OF NETWORK SECURITY

Editor-in-Chief Gregorio Martinez Prof. Min-Shiang Hwang University of Murcia (UMU) (Spain) Department of Computer Science & Information Engineering, Asia Sabah M.A. Mohammed University, Taiwan Department of Computer Science, Lakehead University (Canada) Co-Editor-in-Chief: Lakshmi Narasimhan Prof. Chin-Chen Chang (IEEE Fellow) School of Electrical Engineering and Computer Science, University of Department of Information Engineering and Computer Science, Newcastle (Australia) Feng Chia University, Taiwan Khaled E. A. Negm Publishing Editors Etisalat University College (United Arab Emirates) Shu-Fen Chiou, Chia-Chun Wu, Cheng-Yi Yang Joon S. Park School of Information Studies, Syracuse University (USA) Board of Editors Antonio Pescapè University of Napoli "Federico II" (Italy) Ajith Abraham Zuhua Shao School of Computer Science and Engineering, Chung-Ang University Department of Computer and Electronic Engineering, Zhejiang University (Korea) of Science and Technology (China) Wael Adi Mukesh Singhal Institute for Computer and Communication Network Engineering, Technical Department of Computer Science, University of Kentucky (USA) University of Braunschweig (Germany) Nicolas Sklavos Sheikh Iqbal Ahamed Informatics & MM Department, Technological Educational Institute of Department of Math., Stat. and Computer Sc. Marquette University, Patras, Hellas (Greece) Milwaukee (USA) Tony Thomas Vijay Atluri School of Computer Engineering, Nanyang Technological University MSIS Department Research Director, CIMIC Rutgers University (USA) (Singapore) Mauro Barni Mohsen Toorani Dipartimento di Ingegneria dell’Informazione, Università di Siena (Italy) Department of Informatics, University of Bergen (Norway) Andrew Blyth Shuozhong Wang Information Security Research Group, School of Computing, University of School of Communication and Information Engineering, Shanghai Glamorgan (UK) University (China) Soon Ae Chun Zhi-Hui Wang College of Staten Island, City University of New York, Staten Island, NY School of Software, Dalian University of Technology (China) (USA) Chuan-Kun Wu Stefanos Gritzalis Chinese Academy of Sciences (P.R. China) and Department of Computer University of the Aegean (Greece) Science, National Australian University (Australia) Lakhmi Jain Chou-Chen Yang School of Electrical and Information Engineering, Department of Management of Information Systems, National Chung Hsing University of South Australia (Australia) University (Taiwan) James B D Joshi Sherali Zeadally Dept. of Information Science and Telecommunications, University of Department of Computer Science and Information Technology, University Pittsburgh (USA) of the District of Columbia, USA Ç etin Kaya Koç Jianping Zeng School of EECS, Oregon State University (USA) School of Computer Science, Fudan University (China) Shahram Latifi Justin Zhan Department of Electrical and Computer Engineering, University of Nevada, School of Information Technology & Engineering, University of Ottawa Las Vegas (USA) (Canada) Cheng-Chi Lee Mingwu Zhang Department of Library and Information Science, Fu Jen Catholic University College of Information, South China Agric University (China) (Taiwan) Yan Zhang Chun-Ta Li Wireless Communications Laboratory, NICT (Singapore) Department of Information Management, Tainan University of Technology (Taiwan) PUBLISHING OFFICE Iuon-Chang Lin Min-Shiang Hwang Department of Management of Information Systems, National Chung Hsing Department of Computer Science & Information Engineering, Asia University (Taiwan) University, Taichung 41354, Taiwan, R.O.C. John C.S. Lui Email: [email protected] Department of Computer Science & Engineering, Chinese University of Hong Kong (Hong Kong) International Journal of Network Security is published both in traditional Kia Makki paper form (ISSN 1816-353X) and in Internet (ISSN 1816-3548) at Telecommunications and Information Technology Institute, College of http://ijns.jalaxy.com.tw Engineering, Florida International University (USA) PUBLISHER: Candy C. H. Lin © Jalaxy Technology Co., Ltd., Taiwan 2005 23-75, P.O. Box, Taichung, Taiwan 40199, R.O.C. Volume: 21, No: 1 (January 1, 2019)

International Journal of Network Security

1. 2-Adic Complexity of Sequences Generated by T-Functions Yan Wang, Xueming Ren, Shunbo Li, Vol. 21, No. 1, 2019, pp. 1-6

Fully Secure Anonymous Identity Based Broadcast Encryption with Group of 2. Prime Order Yang Ming and Hongping Yuan, Vol. 21, No. 1, 2019, pp. 7-16

3. On The Secrecy Performance of Wireless Powered Device to Device Systems Dinh-Thuan Do, Vol. 21, No. 1, 2019, pp. 17-21

An Image Encryption Scheme Based on The Three-dimensional Chaotic 4. Logistic Map Chunhu Li, Guangchun Luo, and Chunbao Li, Vol. 21, No. 1, 2019, pp. 22-29

5. Granger Causality in TCP Flooding Attack Rup Kumar Deka, Dhruba Kumar Bhattacharyya, and Jugal Kumar Kalita, Vol. 21, No. 1, 2019, pp. 30-39

6. New Hierarchical Identity Based Encryption with maximum hierarchy Dasari Kalyani and R. Sridevi, Vol. 21, No. 1, 2019, pp. 40-46

A Selective Self-adaptive Image Cryptosystem Based on Bit-planes 7. Decomposition Hossam Diab, Vol. 21, No. 1, 2019, pp. 47-61

8. Privacy-Preserving and Dynamic Authentication Scheme for Smart Metering Xiuxia Tian, Fuliang Tian, Anqin Zhang, and Xi Chen, Vol. 21, No. 1, 2019, pp. 62-70

9. Multi-party Fair Exchange Protocol with Smart Contract on Bitcoin Lijuan Guo, Xuelian Li, and Juntao Gao, Vol. 21, No. 1, 2019, pp. 71-82

Medical Image Encryption Scheme Based on Multiple Chaos and DNA 10. Coding Joshua C. Dagadu, Jian-Ping Li, Emelia O. Aboagye, Faith K. Deynu, Vol. 21, No. 1, 2019, pp. 83-90

11. An Efficient Fully Homomorphic Encryption Scheme Ahmed El-Yahyaoui and Mohamed Dafir Ech-Cherif El Kettani, Vol. 21, No. 1, 2019, pp. 91-99

Cryptanalysis of the Mutual Authentication and Key Agreement Protocol 12. with Smart Cards for Wireless Communications Shu-Fen Chiou, Hsieh-Tsen Pan, Eko Fajar Cahyadi, and Min-Shiang Hwang, Vol. 21, No. 1, 2019, pp. 100-104

Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data 13. by Chaos Based Arithmetic Coding and Confusion Mengting Hu, Hang Gao, Tiegang Gao , Vol. 21, No. 1, 2019, pp. 105-114

Three Kinds of Network Security Situation Awareness Model Based on Big 14. Data Bowen Zhu, Yonghong Chen, Yiqiao Cai, Vol. 21, No. 1, 2019, pp. 115-121

NPKG: Novel Pairwise Key Generation for Resisting Key-based Threats in 15. Wireless Sensor Network M. Vaneeta and S. Swapna Kumar, Vol. 21, No. 1, 2019, pp. 122-129

Cryptography Security Designs and Enhancements of DNP3-SA Protocol 16. Based on Trusted Computing Ye Lu and Tao Feng, Vol. 21, No. 1, 2019, pp. 130-136

Multimedia Social Network Authorization Scheme of Comparison-based 17. Encryption Cheng Li, Zhiyong Zhang, and Guoqin Chang, Vol. 21, No. 1, 2019, pp. 137-144

A Provable Secure Short Signature Scheme Based on Bilinear Pairing over 18. Elliptic Curve Subhas Chandra Sahana and Bubu Bhuyan, Vol. 21, No. 1, 2019, pp. 145-152

Identification and Processing of Network Abnormal Events Based on 19. Network Intrusion Detection Algorithm Yunbin He, Vol. 21, No. 1, 2019, pp. 153-159

Safety Protection of E-Commerce Logistics Information Data Under The 20. Background Of Big Data Yuan Zhao and Yanyan Zhang, Vol. 21, No. 1, 2019, pp. 160-165

A Context Establishment Framework for Cloud Computing Information 21. Security Risk Management Based on the STOPE View Bader Saeed Alghamdi, Mohamed Elnamaky, Mohammed Amer Arafah, Maazen Alsabaan, Saad Haj Bakry, Vol. 21, No. 1, 2019, pp. 166-176

International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 1

2-Adic Complexity of Sequences Generated by T-Functions

Yan Wang, Xueming Ren, Shunbo Li, Song Zhao (Corresponding author: Yan Wang)

Department of Mathematics, Xi’an University of Architecture and Technology 13, YanTa Road, Xi’an 710055, China (Email: [email protected]) (Received July 12, 2017; revised and accepted Dec. 8, 2017)

Abstract pher and Hash functions to be the substitution of Linear Feedback Shift Register (LFSR). Single cycle T-functions are cryptographic primitives which can generate maximum periodic sequences. 2-Adic Sequences generated by single cycle T-function are complexity of a sequence measures the difficulty of out- studied from the point of cryptographic criterion. The putting a binary sequence using a feedback with carry autocorrelation property of coordinate sequences is stud- shift register. Based on the special properties of single ied by Kolokotronis and Wang [8,14], and the results show cycle T-functions, this paper investigates the 2-adic com- that such sequence is not so pseudorandom as people ex- plexity of sequences generated by single cycle T-functions pected. Linear complexity of sequences generated by sin- from the kth coordinate sequence to the state output se- gle cycle T-function has been discussed in [1, 9, 15–17], quence using the primality of Fermat number. It is shown which all show sequences generated by single cycle T- that the state output sequence of a T-function is far from function have quite high linear complexity. As for 2- high 2-adic complexity. adic complexity of a sequence, Dong [3] studied the k- Keywords: 2-Adic Complexity; Fermat Number; Se- error 2-adic complexity of a binary sequence of a period quence; T-Function pn. Anashin [2] present a new criteria for a T-function to be bijective or transitive. Jang and Jeong et al. [4] give a characterization of 1-Lipschitz functions on Fq[T ] 1 Introduction in terms of the van der Put expansion and use this re- sult to give sufficient conditions for measure-preserving The security of a stream cipher depends on the unpre- 1-Lipschitz function on Fq[T ] in terms of the three well dictability of the pseudo-random bit sequence. To ver- known bases, Carlitz polynomials, digit derivatives and ify the pseudo-randomness of a sequence, criterions of digit shifts. Sopin [12] presented the criteria of measure- pseudo-random sequence are proposed such as linear com- preserving(Haar) for pk−Lipschitz maps on the cartesian plexity, autocorrelation, 2-adic complexity and so on. In power of the ring of p-adic integers, where k is any nat- which 2-adic complexity of a sequence is used to measure ural of zero and p is an arbitrary prime. Sattarov [11] how large a feedback with carry shift registers (FCSRs) investigate the behavior of trajectory of a (3, 2)-rational is required to output a sequence. p-adic dynamical system in complex p-adic field Cp. Triangular functions (T-functions) are cryptography primitives proposed by Klimov and Shamir [7] which are This paper investigated the 2-adic complexity of se- built with help of fast arithmetic and Boolean operations quences generated by single cycle T-function, which refers wildly available on high-end microprocessors or on dedi- the k-th coordinate sequence, the state output sequence cated hard ware implementations. All the Boolean opera- by utilizing the properties of Fermat number. tions and most of the numeric operations in modern pro- cessors are T-functions, and their compositions are also T-functions. The main application of a single cycle map- The paper is organized as follows. Section 2 provides ping is in the construction of synchronous stream ciphers. the basis concept of T-function, feedback with carry shift Single cycle T-functions have some advantages as having register (FCSRs), and some properties needed in our de- 0 as its initial state, reaching the maximum length and duction. Section 3 analysis the 2-adic complexity of two having high efficiency in software, and they are suggested types sequences generated by single cycle T-functions. be new primitive of stream cipher, and also in block ci- Concluding remarks are given in Section 4. International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 2

2 Background An FCSR is determined by r coefficients q1, q2, ··· , qr with qi ∈ {0, 1}, i = 1, 2, ··· , r, and an initial 2.1 T-functions and Their Generating Se- memory integer mr−1 which can be any integer. If quences the contents of the register at any given time are (an−1, an−2, ··· , an−r+1, an−r) where ai ∈ {0, 1}, i = Let F = {0, 1} be the finite field with two elements and 2 n − 1, ··· , n − r, and the memory integer is mn−1, then integer n denote the word size. An n length single word the operation of the shift register is defined as follows [6]: n x = (x0, x1, ··· , xn−1) is the vector in F which is the 2 r nth dimensional vector space over F . P 2 A1: Form the integer sum δn = qkan−k + mn−1; k=1 m×n l×n Definition 1. [7] Let x ∈ F2 , y ∈ F2 , and x = T T A2: Shift the contents one step to the right, outputting (x0, x1, ··· , xm−1) , y = (y0, y1, ··· , yl−1) , where xi = n the rightmost bit an−r; (xi,0, xi,1, ··· , xi,n−1) ∈ F2 , yi = (yi,0, yi,1, ··· , yi,n−1) ∈ n m×n l×n F2 . Let f : F2 → F2 satisfies f(x) = y. If the ith A3: Place an = δn(mod2) into the leftmost cell of the row of the output y of f only depends on the 0, 1, ··· , ith shift register; row of input x, we call f a T-function. When m = l = 1, we call f a single word T-function, otherwise a multiword A4: Replace the memory integer mn−1 with mn = (δn − T-function. an)/2 = bδn/2c.

Klimov and Shamir [7] have proved that every primi- Lemma 1. [13] Let x be an eventually periodical se- ∞ P i tive operation which include negation, complementation, quence. Then α = xi2 is equal to p/q the quotient of addition, subtraction, multiplication, XOR, and, and or, i=0 is a T-function. And an example of single cycle T- p, q, where q is the connect number of the FCSR gener- 2 n ating x. Moreover, x is strictly periodical if and only if function as xi = xi−1 ∨ C + xi−1 mod 2 is given, where n 1 ≤ α ≤ 0. xi ∈ Z, 0 5 xi 5 2 and C = ... 1012 or ... 1112. n n Let T-function f : F2 → F2 be the state transition Lemma 1 shows that every periodical sequence can be function, that is xi = f(xi−1). The sequence {xi}i≥0 is generated by an FCSR. called the state output sequence of f. If the state se- Let x be an eventually periodical binary sequence. If n quence {xi}i≥0 of f has minimal period N = 2 , f is q is the connect number of FCSR generating x, then q is called single cycle. Clearly, a single cycle T-function can called the connect number of x. The following lemma can produce a sequence with the maximal period sequence for be got for the connect number of a sequence x. n-bit words. The sequence {xi,k}i≥0(0 ≤ k ≤ n) generated by the Lemma 2. [13] Let x be generated by an FCSR, and kth bit of xi is called the kth coordinate sequence of f. q be the connect number of x. Then x is an eventually Following from [8], the kth coordinate has a period of periodical sequence and there exist an integer p such that ∞ N = 2k+1, and satisfies P i k α = xi2 = p/q. i=0 x k = x ⊕ 1. i+2 ,k i,k Lemma 3. [13] Let x be a strictly periodical sequence, then the minimum connect number qmin of x satisfies This property exposed a disadvantage of T-function that T k qmin ≤ 2 − 1. the effective period of {xi,k}i≥0 is 2 , a method of solving the problem is proposed in [8]. In this paper, we are interested in whether the bound T-function can also be represented by vectorial Boolean is tight. function such as f(x) = (f0(x), f1(x), ··· , fn−1(x)), The same as the linear complexity, the 2-adic com- where each fk(x)(0 ≤ k < n) is called the kth coordi- plexity of a sequence is intended to measure how large an nate Boolean function which only depends on the first FCSR is required to output the sequence. k bits of x. By the definition of T-function, the output of the kth coordinate Boolean is just the kth coordinate Definition 2. [13] Let x is a eventually binary sequence, ∞ sequence of {x } . P i i i≥0 xi2 = p/q, where gcd(p, q) = 1. The real number We want to make some observation about the proper- i=0 ties of the sequences created by single cycle T-functions. φ2(x) = log2(Φ(p, q)) is called the 2-adic complexity of x, where Φ(p, q) = max(|p| , |q|). 2.2 2-Adic Complexity Actually, if a binary sequence s is strictly periodic, then its 2-adic complexity is clearer. The following corollary Since the security of traditional stream ciphers LFSR can be easily obtained. based is called into question, Goresky and Klapper pro- posed the feedback with carry shift register (FCSR) [5] Corollary 1. [13] Let x be a strictly periodical binary which is similar to linear feedback shift register (LFSR) sequence with the minimum connect number q. Then the but with carry from one state to another. 2-adic complexity of x is φ2(x) = log2q. International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 3

Definition 3. Let x be an FCSR sequence with connect and then adding them together: number q and period T . x is called maximum period FCSR k sequence, or l-sequence, if T = ϕ(q) where ϕ(q) is Euler 1 2 4 ... 2i ... 22 −1 k k k k k k function value of q. 22 2 · 22 4 · 22 ... 2i · 22 ... 22 −1 · 22 If x is a l-sequence with connect number q, then e k ordq(2) = ϕ(q) [6], and q = p for some prime p and Denote that S = {i|xi+2k,k = 1, 0 ≤ i ≤ 2 − 1} e−1 integer e, thereby T = ϕ(q) = p (p − 1). with cardinality m. So S also can be {i1, i2, ··· , im}, and xi,k = 0, i ∈ S. Then the sum in Equation(2) will be:

3 Main Results 2k−1 X i i+2k [xi,k · 2 + (xi,k ⊕ 1) · 2 ] 3.1 2-Adic Complexity of the kth Coor- i=1 dinate Sequence 2k−1 2k−1 X X k = (1 · 2i) + x · (2i+2 − 2i)] In this section, 2-adic complexity of periodic sequences i,k i=1 i=1,i∈S generated by single cycle T-function are discussed. k k = (22 − 1) + (22 − 1)(2i1 + 2i2 + ... + 2im ) n n Lemma 4. Let f : F2 → F2 be single cycle T-function k = (22 − 1)(1 + 2i1 + 2i2 + ... + 2im ). with state sequence {xi}i≥0. Then the minimum connect integer qmin of the kth (0 < k < n) coordinate sequence 2k+1 So the right fraction term in Equation (1) will be satisfies qmin ≤ 2 − 1.

k Proof. This result can be proved according to the fact (22 − 1)(1 + 2i1 + 2i2 + ... + 2im ) that the kth coordinate sequence have a period of 2k+1 (22k − 1)(22k + 1) and Lemma 3. 1 + 2i1 + 2i2 + ... + 2im = (3) n n 2k Theorem 1. Let f : F2 → F2 be single cycle T- 2 + 1 function. Denote by sk the kth coordinate output se- quence. Then the 2-adic complexity φ (s ) = log F Denote the kth Fermat number as Fk. For the case 2 k 2 k of 2-adic complexity of the kth coordinate sequence, the when k = 0, 1, 2, 3, 4, where Fk is the kth Fermat Number k question becomes whether the kth Fermat number is a 22 + 1. composite number.

Proof. Denote the elements of sk as xi, i = 0, 1, 2, ··· . From [10], the first five Fermat number F0 = 3,F1 = By Lemma 2 and Lemma 4, for the sake of the 2-adic 5,F2 = 17,F3 = 257 and F4 = 65537 are indeed prime. complexity of the kth coordinate sequence, we need to As far as the numerator, since 1 + 2i1 + 2i2 + ··· + k discuss 2im < 22 + 1, we can deduce that the 2-adic complexity

T −1 of the kth coordinate sequence for all the single cycle T- P i ∞ xi2 function is log2 Fk when k = 0, 1, 2, 3, 4, and they are X i i=0 x 2 = log2 3, log2 5, log2 17, log2 257, log2 65537. i 1 − 2T i=0 n n 2k+1−1 Theorem 2. Let f : F2 → F2 be single cycle T- P i xi2 function, sk be the kth coordinate output sequence of f, i=0 T = 2k+1 be the period of s , and q be the minimum con- = − k+1 k 22 − 1 T nect integer. Then, φ2(sk) < T ≤ ϕ(q) < 2 − 2 for 2k+1−1 P i k = 0, 1, 2, 3, 4, where ϕ is the Euler function. xi2 i=0 = − k k (1) Proof. Firstly, by Theorem 1, (22 − 1)(22 + 1)

2k From the property of Single cycle T-function, the numer- φ2(sk) = log2(2 + 1) ator can be expressed as 2k 2k < log2 2 · 2 k+1 2k+1−1 2k−1 2 = log2 2 X i X i i+2k xi2 = [xi,k · 2 + xi+2k,k · 2 ] = 2k+1 i=0 i=1 = T. 2k−1 X i i+2k = [x · 2 + (x ⊕ 1) · 2 ] (2) k i,k i,k Since ϕ(q) = 22 and T = 2k+1, we have T ≤ ϕ(q), where i=1 the equation is established if and only if k = 0, 1. When 2k Since {xi, xi ⊕1} = {0, 1}, the above sum means choosing k = 0, 1, 2, 3, 4, q = 2 + 1 is prime, ϕ(q) = q − 1, and by a number from every column in the following numbers Lemma 3, q < 2T − 1, we have ϕ(q) < 2T − 2. International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 4

Thus, the kth coordinate sequence is an l-sequence F 13 = 710954639361 × 2663848877152141313 when k = 0, 1. ×3603109844542291969 As for 5 ≤ k ≤ 23, it has been proved that F is k ×319546020820551643220672513 composite [10], and also, for k ≥ 2, the factors of Fk are of the form m2k+2 + 1. There still no new Fermat prime ×C2391. number was found. Every minimum connect number is equal to one or a n n k+1 Theorem 3. Let f : F2 → F2 be single cycle T- sum of the factors, compare them with T = 2 we can function, sk be the kth coordinate output sequence of f, verify the inequality. and F = p p ··· p , where k ≥ 5 and p , i = 1, 2, ··· , t is k 1 2 t i Actually, when 14 ≤ k ≤ 23, we have known that F prime. Then, k is a composite number while the factors is unknown, we 1) If the bottom half of sk is just the binary number of have the conjecture that the above inequality still holds. Fk some pi, then the 2-adic complexity of sk is log ; From Theorem 1 and Theorem 3, we know that 2-adic 2 pi complexity of the kth coordinate sequence is far out of 2) If the bottom half of s has factors k reach the maximum value. {pj1 , pj2 , ··· , pju } ⊂ {p1, p2, ··· , pt}, then the Fk 2-adic complexity of sk is log2 p p ···p . j1 j2 ju 3.2 2-Adic Complexity of the State Out- Proof. If k ≥ 5, and Fk has a prime factorization put Sequence Fk = p1p2 ··· pt, then the 2-adic complexity depends n n on the factorization of the numerator in Equation (3). Theorem 5. Let f : F2 → F2 be sin- Since the bottom half of sequence sk is just the expo- gle cycle T-function with state sequence S = nential sequence of the numerator in Equation (3), and x0,0, x0,1, ··· , xi,j, ··· , xn−1,2n−1, i = 0, 1, ··· , n − 1, 1 n n Equation (3) will become . And it will become j = 0, 1, ··· , 2 − 1 which has a period of n · 2 . Then st Fk/pi n·2n−1+1 1 has the maximum 2-adic complexity log22 . when the bottom half of sk has factors Fk/pj1 pj2 ···pju Proof. For the state output sequence, check the following {pj1 , pj2 , ··· , pju } ⊂ {p1, p2, ··· , pt}. fraction: n n Theorem 4. Let f : F2 → F2 be single cycle T- n T −1 n−1 2 −1 n function, s be the kth (k ∈ Z, 5 ≤ k ≤ 13) coor- P i P P j+i·2 k ∞ x 2 xi,j2 k+1 i dinate output sequence of f, T = 2 be the period X i i=0 i=0 j=0 xi2 = T = T of sk, and q be the minimum connect integer. Then, 1 − 2 1 − 2 T i=0 φ2(sk) < T < ϕ(q) < 2 −2, where ϕ(q) is Euler function value of q. n − 1 ... 2 1 0 0 x ... x x x Proof. We just need to verify that T < φ(q) for (k ∈ 0,n−1 0,2 0,1 0,0 1 x ... x x x Z, 5 ≤ k ≤ 13). We need to check the factorization of F 1,n−1 1,2 1,1 1,0 k . for (k ∈ Z, 5 ≤ k ≤ 13). Since . n F 5 = 641 × 6700417 2 − 1 x2n−1,n−1 ... x2n−1,2 x2n−1,1 x2n−1,0 F 6 = 274177 × 67280421310721 F 7 = 59649589127497217 × 5704689200685129054721 If xi,j = 1, the first half of the sum in numerator be- F 8 = 1238926361552897 × 9346163971535797776916 comes 3558199606896584051237541638188580280321 n−1 2n−1−1 X X n n−1 1 · 2j+i·2 = 2n·2 − 1 F 9 = 2424833 × 7455602825647884208337395736 i=0 j=0 200454918783366342657 × 74164006262753 Denote the location of nonzero in the last bottom half 08015247871419019374740599407810975190239 of S by t1, t2, ··· , tu, then the last half of the sum in 05582131614441575950470008092818711693940 numerator is n−1 737 (2n·2 − 1)(2t1 + 2t2 + ··· + 2tt ) F 10 = 45592577 × 6487031809 × 465977578522001 So the whole sum in numerator is

8543264560743076778192897 × P 252 n−1 (2n·2 − 1)(1 + 2t1 + 2t2 + ··· + 2tt ) F 11 = 319489 × 974849 × 167988556341760475137 ×3560841906445833920513 × P 564 and Equation 3.2 will be F 12 = 114689 × 26017793 × 63766529 × 190274191361 1 + 2t1 + 2t2 + ··· + 2tt ×1256132134125569 × 5686306475353569551 1 + 2n·2n−1 69033410940867804839360742060818433 n·2n−1+1 So st has the maximum 2-adic complexity log22 . ×C1133 International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 5

n−1 We can verify when n = 2, 2n·2 +1 is prime, and the National Natural Science Foundation of China (No. n−1 when n = 3, 4, 5, 2n·2 +1 is composite number. When 11471255), and the Talents Foundation of Xi’an Univer- n is more lager, we can have the following corollary: sity of Architecture and Technology (No.RC 1338).

Corollary 2. Both the kth coordinate sequence and the state output sequence of single cycle T-function have max- T/2 References imum 2-adic complexity as log2 (2 + 1), where T is the period of the sequence. [1] V. Anashin and A. Khrennikov, “Applied algebraic n n dynamics,” P-Adic Numbers, Ultrametric Analysis, Corollary 3. Let f(x): F2 → F2 be a single cycle T- function. Then the maximum 2-adic complexity of its kth and Applications, vol. 2, no. 4, pp. 360–362, 2010. coordinate sequence and state output sequence have ap- [2] V. Anashin, A. Khrennikov, and E. Yurova, “T- proximate value T/2 where T is the period of the sequence. functions revisited: New criteria for bijectiv- ity/transitivity,” Designs Codes and Cryptography, n·2n−1+1 Proof. This result can be deduced by log22 ≈ vol. 71, no. 3, pp. 383–407, 2014. n·2n−1 log2 2 = T/2. [3] L. H. Dong and Y. P. Hu, “Computing the k-error 2-adic complexity of a binary sequence of period pn,” Compare to the m-sequence [13], the single cycle T- International Journal of Computer Science and Net- function sequence can have the same well properties when work Security, no. 3, pp. 66–70, 2006. we choose the coordinate sequence. [4] Y. Jang, J. Sangtae, and C. L. Li, “Criteria of measure-preservation for 1-lipschitz functions on f q Corollary 4. Let s be the state output sequence of a sin- [[t]] in terms of the van der put basis and its applica- gle cycle T-function f with period T , 2-adic complexity tions,” Finite Fields and Their Applications, vol. 37, φ (s), minimum connect number q. Then ϕ(q) < 2T − 2, 2 pp. 131–157, 2016. and T [5] A. Klapper and M. Goresky, “2-adic shift registers,” φ2(sk) < T < ϕ(q) < 2 − 2 in Fast Software Encryption, pp. 174–178, 1994. 2 4 5 6 7 8 holds when f is defined in F2,F2 ,F2 ,F2 ,F2 ,F2 ,F2 , [6] A. Klapper and M. Goresky, “Feedback shift reg- 16 32 F2 ,F2 . isters, 2-adic span, and combiners with memory,” Journal of Cryptology, vol. 10, no. 2, pp. 111–147, Proof. Since the connect number ϕ(q) ≤ q−1 for all prime 1997. or composite number q, we have ϕ(q) < q − 1 < 2T − 2. [7] A. Klimov and A. Shamir, “A new class of invert- By Corollary T3, φ2(sk) ≤ T/2, so φ2(sk) < T . For n n ible mappings,” in The 4th International Workshop f : F2 → F2 where n = 1, 2, 4, 5, 6, 7, 8, 16, 32, we can verify that the minimum vale of ϕ(q) is less than n · 2n, on Cryptographic Hardware and Embedded Systems T (CHES ’02), pp. 470–483, 2003. so φ2(sk) < T < ϕ(q) < 2 − 2. [8] N. Kolokotronis, “Cryptographic properties of non- linear pseudorandom number generators,” Designs 4 Conclusions Codes and Cryptography, vol. 46, pp. 353–363, 2008. [9] X. Ma, T. Yan, D. Zhang, and Y. Liu, “Linear com- Since it is suggested that a single cycle T-function can plexity of some binary interleaved sequences of pe- be the substitution of linear feedback shift register for riod 4n,” International Journal of Network Security, its long cycle and nonlinearity structure. Comparison vol. 18, no. 2, pp. 244–249, 2016. between m-sequence and sequences generated by single [10] P. B. Richard, “Factorization of the tenth and cycle T-function become and interesting problem. Tian eleventh fermat numbers,” Mathematics of Compu- Tian shows 2-adic complexity of the m-sequence attains tation, vol. 68, no. 154, pp. 627–630, 2000. the maximum in [13]. And in [15], it is shown that the [11] I. A. Sattarov, “p-adic (3, 2)-rational dynamical sys- sequences generated by single cycle T function have high tems,” P-Adic Numbers, Ultrametric Analysis, and linear complexity. In this paper, 2-adic complexity of the Applications, vol. 7, no. 1, pp. 39–55, 2015. kth coordinate sequence, the state output sequence gen- [12] V. Sopin, “Criteria of measure-preserving for p k- erated by a single cycle T-function is studied. It is shown lipschitz mappings,” P-Adic Numbers, Ultrametric that these two sequences are not as pseudo-random as Analysis, and Applications, vol. 7, no. 1, pp. 76–79, m-sequence in the respect of 2-adic complexity. 2015. [13] T. Tian and W. F. Qi, “2-adic complexity of bi- Acknowledgments nary m-sequences,” IEEE Transactions on Informa- tion Theory, vol. 56, no. 1, pp. 450–454, 2010. This study was supported by the Natural Science Ba- [14] Y. Wang, Y. P. Hu, S. B. Li, and Y.Yang, “Au- sic Research Plan in Shaanxi Province of China (No. tocorrelation of sequences generated by single cycle 2014JQ1027), Basic Research Foundation of Xi’an Uni- t-functions,” China Communications, vol. 8, no. 5, versity of Architecture and Technology (No. JC1416), pp. 144–150, 2011. International Journal of Network Security, Vol.21, No.1, PP.1-6, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).01) 6

[15] Y. Wang, Y. P. Hu, S. B. Li, and Y. Yang, “Lin- Xueming Ren Ph. D., second grade professor, Ph. D. ear complexity of sequence produced by single cy- supervisor, Ph. D. graduated from Chinese University cle t-function,” The Journal of China Universities of Hong Kong. The main research areas are semigroup alge- Posts and Telecommunications, vol. 18, pp. 123–128, bra theory and its applications. Presided over the comple- 2011. tion of 7 National Natural Science Foundation Project and [16] W. Y. Zhang and C. K. Wu, “The algebraic normal the Shaanxi Natural Science Foundation Projection. Pub- form, linear complexity and k-error linear complex- lished more than 80 scientific research papers in impor- ity of single-cycle t-function,” Sequences and Their tant journals at home and abroad, such as the ”Journal Applications (SETA’06), pp. 391–401, 2006. of Algebra”, ”Communications in Algebra”, ”Semigroup [17] L. Zhao and Q. Y. Wen, “Linear complexity and sta- Forum”, ”Chinese science”, ”Science Bulletin”. These bility of output sequences of single cycle t-function,” theses have been cited by many domestic and foreign Journal of Beijing University of Posts and Telecom- colleagues in important academic journals. His research munications, vol. 31, no. 4, pp. 62–65, 2008. achievements have won the first prize of the Provincial Natural Science, the ministerial level scientific and tech- nological progress third prize, and the Provincial Educa- Biography tion Commission, science and technology progress second prize ones. Yan Wang Ph.D., associate professor, Bachelor of Shaanxi Normal University in 2003, Ph. D. of Xi’an Shunbo Li Associate professor at School of Science, Electronic and Science University in 2012, visiting scholar Xi’an University of Architecture and Technology, China. of Ohio State University in 2015. Research direction is Received the Ph.D. degree in applied mathematics from cryptography. Presided over 1 Shaanxi Natural Science Xidian University, Xi’an, China, in 2012. His research Foundation Projection and 1 Natural Science Foundation fields include information security theory and stream ci- of Shaanxi Education Department. Published more than pher. Published more than 20 scientific research papers 20 scientific research papers in important journals at in important journals at home and abroad. home and abroad. International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 7

Fully Secure Anonymous Identity Based Broadcast Encryption with Group of Prime Order

Yang Ming and Hongping Yuan (Corresponding author: Yang Ming)

School of Information Engineering, Chang’an University Middle-section of Nan’er Huan Road, Xi’an, Shaanxi 710064, China (Email: [email protected]) (Received Aug. 31, 2017; revised and accepted Nov. 5, 2017)

Abstract IBE is that a user can utilize the identity (Email address, IP address, etc.) of recipient as public key to encrypt Anonymous identity based broadcast encryption (IBBE) a message. It simplifies the management of public key is a cryptographic primitive, which allows a broadcaster certificates and avoids the need to distribute certificates. to transmit encrypted data over a broadcast channel to Identity based broadcast encryption (IBBE) is a general- a large number of users such that only a select subset of ization of identity based encryption (IBE). A scenario of privileged users can decrypt it and any user cannot dis- IBBE is shown in Figure 1. tinguish the encrypted message to which user. In this paper, based on the asymmetric bilinear pairing, a new Private Key Generator anonymous IBBE scheme is proposed. Under the assump- (PKG) Pr ivate Key Pr tion of symmetric external Diffie-Hellman, we prove that iva Plaintext te Ke the proposed scheme is fully secure (adaptive security) y Authorized user in the standard model using the dual system encryption Ciphertext method. This construction utilizes the dual pairing vector Broadcast Channel Plaintext space technique in the group of prime order to realize the Broadcaster Authorized user parameter hiding and cancelling properties of the group of composite order. The performance analysis depict that Unauthorized user the proposed scheme achieves simultaneously the constant size system parameters, private keys and ciphertexts. In Figure 1: A typical structure of IBBE addition, the recipient anonymity can be captured. Keywords: Dual System Encryption; Fully Secure; Group In 2007, Delerable [3] proposed an IBBE scheme, which of Prime Order; Identity Based Broadcast Encryption captures constant size ciphertexts and private keys. But the proposed scheme was only selective-identity secure (the adversary must declare at the beginning of its at- 1 Introduction tack which identity it will target) in the random oracles model. In 2009, Gentry et al. [8] presented a provably In 1993, Fiat and Naor [6] first introduced the concept of secure BE scheme in the standard model, which achieved broadcast encryption (BE). In a BE scheme, the broad- fully secure (the adversary may choose the target iden- caster broadcasts encrypted message over a broadcast tity adaptively) with sublinear ciphertext. Ren et al. [25] channel to some subset of users. Any user in the desig- proposed an IBBE scheme with constant size ciphertexts nated subset can decrypt the ciphertext using his private and public keys. The proposed scheme was fully secure in key. Broadcast encryption is widely used in many fields, the standard model. Based on the dual system encryption such as multicast communication, pay TV, satellite based idea, a BE scheme in the bilinear groups of composite or- electronic commerce, etc.. Since the concept of broadcast der was presented by Waters [30]. However, this scheme encryption is proposed, many BE schemes [1,4,5,12,18,28] is inefficient because of decryption cost depending on the have been proposed. user number. In 2010, Lewko et al. [20] presented an In 1984, the concept of identity based encryption (IBE) IBBE scheme in the groups of composite order and proved was firstly proposed by Shamir [27]. The main idea of the security under the general subgroup decision assump- International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 8 tion. The proposed scheme satisfied fully secure under tures: cancelling (orthogonality) and projecting and given the static assumption via the convenient properties of the a general technique to convert composite order schemes bilinear groups of composite order. In 2012, Zhang et into prime order schemes relying on either cancelling or al. [33] presented a fully secure IBBE using dual system projecting. In 2016, Ming et al. [23] proposed a secure encryption technique in the subgroups, which achieved IBBE scheme using dual system encryption in the group the constant size ciphertexts and private keys. In 2015, of prime order. In this paper, based on the asymmetric Kim et al. [13] proposed an IBBE scheme with constant bilinear pairing, we present an anonymous IBBE scheme size ciphertexts. This scheme was adaptively secure under using the dual pairing vector space and dual system en- the general decisional subgroup assumption in the stan- cryption techniques. The proposed scheme captures fully dard model using the technique of dual system encryp- secure (adaptive security) in the standard model assume tion. In 2016, Susilo et al. [29] given a recipient-revocable that the symmetric external Diffie-Hellman problem is IBBE scheme, where ciphertext size is independent of the hard. The performance analysis shows that the pro- number of receivers. posed scheme has constant size system parameters, ci- In 2012, an anonymous BE scheme in the standard phertexts and private keys, and achieves the receiver’s model was proposed by Libert et al. [21]. However, in identity anonymity. which ciphertext size grows with the receiver numbers lin- The rest of this paper is organized as follows. The pre- early. In 2013, Zhang et al. [35] presented an anonymous liminaries are presented in Section 2. Section 3 gives the BE scheme with the group of composite order in the stan- formal model of anonymous IBBE. Our concrete construc- dard model, that was proved fully secure and the cipher- tion is described in Section 4. Section 5 evaluates the per- text size was constant at the same time. In 2014, Xie et formance. Finally, conclusions are provided in Section 6. al. [31] presented an anonymous IBBE scheme in the bilin- ear groups of prime order. The proposed scheme achieved adaptive secure under the asymmetric decisional bilinear 2 Preliminaries Diffie-Hellman Exponent assumption without using the random oracles. However, the system parameter and pri- 2.1 Asymmetric Bilinear Groups vate key size grows with the number of users and that of Assume G1, G2 and GT be three cyclic groups with order receivers linearly, respectively. Ren et al. [26] proposed a of q, where q is a large prime. Let g and g be a generator fully secure anonymous IBBE scheme based on asymmet- 1 2 of G1 and G2, respectively. The bilinear map e : G1 × ric bilinear groups, which achieved adaptive secure in the → has the following properties [14, 22]: standard model. But, system parameter, ciphertext and G2 GT private key size grows with the number of users or that of Bilinearity: For all g1 ∈ G1, g2 ∈ G2 and s, t ∈ Zq, receivers linearly, respectively. In 2015, Zhang et al. [34] s t st e(g1, g2) = e(g1, g2) . proposed a leakage-resilient anonymous IBBE with con- stant size ciphertexts, which achieved fully secure in the Non-degeneracy: e(g1, g2) 6= 1. standard model. However, the system parameter size is not constant and relies on the number of users. In 2016, Computability: There exists an efficient algorithm to Lai et al. [16] constructed an anonymous IBBE with ci- compute e(g1, g2) for all g1 ∈ G1, g2 ∈ G2. phertext revocation. He et al. [9] proposed a generic IBBE construction in the random oracle model, which has con- 2.2 Dual Pairing Vector Spaces stant size system parameters, the private keys and de- cryption cost. He et al. also [10] presented a secure IBBE The asymmetric dual pairing vector spaces technique [24] scheme under the DBDH assumption. The new scheme will be utilized in the following proposed scheme. For n v was efficient and simultaneously achieved confidentiality v = (v1, ···, vn) ∈ Zq and gβ ∈ Gβ, gβ is defined as n and anonymity. Xu et al. [32] proposed an IBBE scheme elements of Gβ for β = 1, 2: with constant decryption complexity and strong anony- gv = (gv1 , ···, gvn ). mous. In 2017, He et al. [11] given a generic IBBE scheme β β β that achieved confidentiality and anonymity. The pro- n For any a ∈ Zq and v, w ∈ Zq , we have: posed scheme was proven security in the random oracle model and satisfied constant size system parameters and av av1 avn v+w v1+w1 vn+wn gβ = (gβ , ··· , gβ ), gβ = (gβ , ··· , gβ ). private keys. Lai et al. [15, 17] proposed the fully re- vocable privacy-preserving IBBE schemes in the random Then we define oracle model. n v w Q vi wi v·w To achieve the same security level, when the size of the e(g1 , g2 ) = e(g1 , g2 ) = e(g1, g2) . i=1 elliptic curve group of composite order is 1024 bits, and ∗ ∗ ∗ that of prime order is only 160 bits [7]. Therefore, how The two bases B = (b1, ···, bn) and B = (b1, ··· , bn) n to design the IBBE scheme in the group of prime order of Zq are randomly chosen to satisfy “dual orthonormal”. ∗ ∗ becomes a hot issue. In 2010, Freeman et al. [7] firstly This is to say that br · bk = 0(mod q) for r 6= k, bk · bk = showed that the group of composite order has two fea- ψ(mod q) for all k and a random element ψ ∈ Zq. International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 9

2.3 Security Assumptions and

µ b∗+µ b∗ Decisional Diffie-Hellman problem in (DDH1): Given 1 1 2 K+1 G1 U1 = g1 , ··· , a b D = ( , , , g , g , q, e, g , g ), pick randomly ∗ ∗ G1 G2 GT 1 2 1 1 µ1bK +µ2b2K ab UK = g1 , g1 ∈ G1, g2 ∈ G2, a, b, c ∈ Zq and T1 = g1 ,T2 = ab+c V = gτ1b1 , ··· , g1 , the DDH1 problem is to distinguish T1 and 1 2 τ1bK T2. VK = g2 , τ1b1+τ2bK+1 The advantage of an algorithm B solving the DDH1 W1 = g2 , ···, problem is defined as: τ1bK +τ2b2K WK = g2 .

DDH1 b∗ b∗ b∗ AdvB = |Pr[B(D,T1)] − Pr[B(D,T2)]|. 1 K 2K+1 Let D = (G1, G2, GT , q, e, g1, g2, g1 , ··· , g1 , g1 , ∗ bN b1 bN ··· , g1 , g2 , ··· , g2 ,U1, ··· ,UK , µ2), where K,N are Decisional Diffie-Hellman problem in G2 (DDH2): Given positive integers satisfying 2K ≤ N. The DS2 problem is a b D = (G1, G2, GT , g1, g2, q, e, g2 , g2), pick randomly to distinguish V1, ··· ,VK and W1, ··· ,WK . ab g1 ∈ G1, g2 ∈ G2, a, b, c ∈ Zq and T1 = g2 ,T2 = The advantage of an algorithm B solving the DS2 prob- ab+c g2 , the DDH2 problem is to distinguish T1 and lem is defined as: T2. AdvDS2 = The advantage of an algorithm B solving the DDH2 B |Pr[B(D,V1, ···,VK ) = 1] − Pr[B(D,W1, ··· ,WK ) = 1]|. problem is defined as: The DS1 problem is intractable if DDH1 problem is DDH2 hard, the DS2 problem is intractable if DDH2 problem is Adv = |Pr[B(D,T1)] − Pr[B(D,T2)]|. B hard [2].

Symmetric external Diffie-Hellman assumption [2]: This assumption holds if both DDH 1 and DDH 2 prob- 3 Framework of Anonymous lems are intractable. IBBE

Decisional subspace problem in G1 (DS1): Given ∗ ∗ ∗ 3.1 Syntax G1, G2, GT , q, e, B = (b1, ··· , bn), B = (b1, ··· , bn), pick randomly g1 ∈ G1, g2 ∈ G2, τ1, τ2, µ1, µ2 ∈ Zq An IBBE scheme with security parameter λ consists of and the following algorithms:

µ b∗+µ b∗ 1 1 2 K+1 Setup: Given λ and m, the maximal size of the receiver U1 = g2 , ··· , ∗ ∗ set for one encryption, the Private Key Generator µ1bK +µ2b2K UK = g2 , (PKG) generates the system parameter params and τ1b1 V1 = g1 , ··· , the master key msk. The params is made public τ1bK VK = g1 , while the msk is kept secret. τ1b1+τ2bK+1 W1 = g1 , ···, Extract: Given params, msk and a user’s identity ID, τ1bK +τ2b2K WK = g1 . this algorithm outputs the private key SKIDi and sends it to the user via a secure channel.

∗ ∗ b1 bK Let D = (G1, G2, GT , q, e, g1, g2, g2 , ··· , g2 , Encrypt: Given params, a set of identities S = b∗ ∗ 2K+1 bN b1 bN {ID1, ··· ,IDn} with n ≤ m and a message M, this g2 , ··· , g2 , g1 , ··· , g1 ,U1, ··· ,UK , µ2), where K,N are positive integers satisfying 2K ≤ N. algorithm outputs a ciphertext CT . The DS1 problem is to distinguish V1, ··· ,VK and Decrypt: Given params, a subset S = {ID1, ··· ,IDn} W1, ··· ,WK . with n ≤ m, a ciphertext CT , an identity IDi and

The advantage of an algorithm B solving the DS1 the private key SKID i , if IDi ∈ S, this algorithm problem is defined as: outputs the plaintext M.

DS1 AdvB = | Pr[B(D,V1, ··· ,VK ) = 1] 3.2 Security Model − Pr[B(D,W , ··· ,W ) = 1]|. 1 K We depict the fully secure (adaptive security) model for the anonymous IBBE scheme. The security is defined by Decisional subspace problem in G2 (DS2): Given the following interaction game played between the adver- ∗ ∗ ∗ G1, G2, GT , q, e, B = (b1, ··· , bn), B = (b1, ··· , bn), sary A and the challenger C. Let Ω the maximal size of pick randomly g1 ∈ G1, g2 ∈ G2, τ1, τ2, µ1, µ2 ∈ Zq the receivers set. International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 10

∗ ∗ ∗ d1 d2 Setup: The challenger C runs the algorithm Setup to D . The master key is msk = {α, g2 , g2 }. produce the master key msk and the system param- The public system parameters are params = ∗ αd1d1 d1 d2 eters params. Then C keeps master key msk secret {G1, G2, GT , g1, g2, e, q, e(g1, g2) , g1 , g1 }. and returns params to A. Extract: Given the identity IDi ∈ S, where S = Phase 1: The adversary A adaptively issues the private {ID1, ··· ,IDn} for n ≤ m, the PKG randomly 1 n key queries and decryption queries. chooses r1, ··· , r1 ∈ Zq and computes SKIDi = {k1, k2} as follows: Private key query: Given a private key query on IDi, (α+ri ID )d∗−ri d∗ C runs the algorithm Extract to produce the private 1 i 1 1 2 k1 = g2 , i−1 i+1 key SKIDi and return it to A. 1 2 n ∗ (r1 +r1 +···+r1 +r1 +···+r1 )(ID1+···+IDn)d1 k2 = g2 Decryption Query: Given a decryption query on i ∗ r1(ID1+ID2+···+IDi−1+IDi+1+···+IDn)d1 ·g2 (IDi, S, CT ) with S ⊆ Ω and IDi ∈ S. C firstly −(r1+r2+···+ri−1+ri+1+···+rn)d∗ runs the algorithm Extract to produce the private 1 1 1 1 1 2 ·g2 . key SKIDi . Then it runs the algorithm Decrypt to obtain the message M and send it to A. Encrypt: Given the massage M, a broadcaster randomly chooses z ∈ Zq and computes the ciphertext: Challenge: At the end of Phase 1, A outputs two same- ∗ ∗ ∗ ∗ length messages M0 ,M1 and two user sets S0 ,S1 on CT = {C1,C2} ∗ which it wants to be challenged. The challenger C se- αzd1d zd1+z(ID1+···+IDn)d2 = {M · e(g1, g2) 1 , g } lects a random value θ ∈ {0, 1} and denotes the chal- 1 ∗ ∗ ∗ lenge ciphertext CT = Encrypt(params, Mθ ,Sθ ). Decrypt: Given the ciphertext CT = {C1,C2}, any user ∗ At last, C sends CT to A as its challenge cipher- IDi ∈ S can compute text. M = C1 . Phase 2: The adversary A issues queries adaptively e(C2,k1k2) again as in Phase 1. The challenger C responses these queries as Phase 1 except that A is not permit- 5 Analysis ∗ ∗ ted to issue a private key query on any IDi ∈ S0 ,S1 ∗ ∗ ∗ ∗ and a decryption query on (CT ,S0 ) and (CT ,S1 ). 5.1 Correctness

Guess: Eventually, the adversary A outputs its guess C1 θ0 ∈ {0, 1}. A wins the game if θ0 = θ. e(C2, k1k2) ∗ αzd1d M · e(g1, g2) 1 = ∗ ∗ The advantage of A wins the game is defined as zd1+z(ID)d2 [α+R(ID)]d1 −Rd2 e(g1 , g2 ) ∗ 0 αzd1d AdvA = |2 Pr[β = β] − 1|. M · e(g1, g2) 1 = ∗ ∗ ∗ αzd1d +zR(ID)d1d −zR(ID)d2d e(g1, g2) 1 1 2 Definition 1. An anonymous IBBE scheme is said to be ∗ αzd1d M · e(g1, g2) 1 (qk, qd, t, ε)-ANONY-IND-ID-CCA secure if for any ad- = ∗ αzd1d +[zR(ID)−zR(ID)]ψ e(g1, g2) 1 versary making at most qk private key queries and qd decryption queries in time t has advantage ε, we have = M. Adv ≤ ε. ID = ID1 + ID2 + ··· + IDn A 1 2 n R = r1 + r1 + ··· + r1 i ∗ i ∗ Definition 2. An anonymous IBBE scheme is said to be (α+r1IDi)d1 −r1d2 k1 · k2 = g2 (qk, t, ε)-ANONY-IND-ID-CPA secure if it is (qk, 0, t, ε)- 1 2 i−1 i+1 n ∗ (r1 +r1 +···+r1 +r1 +···+r1 )(ID1+···+IDn)d1 ANONY-IND-ID-CCA secure. ·g2 i ∗ r1(ID1+ID2+···+IDi−1+IDi+1+···+IDn)d1 ·g2 1 2 i−1 i+1 n ∗ −(r1 +r1 +···+r1 +r1 +···+r1 )d2 4 The Proposed Scheme ·g2 [α+(r1+···+rn)(ID +···+ID )]d∗−(r1+···+rn)d∗ = g 1 1 1 n 1 1 1 2 This section describes an anonymous IBBE scheme with 2 group of prime order. Let m denote the maximum size of the user set. The concrete construction includes the following phases: 5.2 Security Proof Setup: Given the security parameter λ and a bilin- To prove the security of the proposed scheme using the ear map e : G1 × G2 → GT , the PKG ran- dual system encryption technique [30], we need to define domly picks α ∈ Zq and samples random dual the semi-functional keys and semi-functional ciphertexts, ∗ orthonormal bases (D,D ). Let d1, ··· , d4 be the which are only provided for definitional purpose, and are ∗ ∗ elements of D and d1, ··· , d4 be the elements of not part of the scheme. International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 11

Semi-functional keys: A normal key SK0 = {k0 , k0 } B randomly chooses a value α ∈ and sends the IDi 1 2 0 Zq is generated using the algorithm Extract and public parameters params = { 1, 2, T , e, q, g1, ∗ G G G αd1d1 d1 d2 v1, v2, v˙1, v˙2 ∈ Zq are randomly selected. The semi- g2, e(g1, g2) , g1 , g1 } to the adversary A and d∗ d∗ functional keys are defined as 1 2 keeps the master key msk = {α, g2 , g2 } secret. v d∗+v d∗ v˙ d∗+v ˙ d∗ SK(SF ) = {k , k } = {k0 ·g 1 3 2 4 , k0 ·g 1 3 2 4 }. IDi 1 2 1 2 2 2 Query 1: A adaptively makes the private key queries on Semi-functional ciphertexts: A normal ciphertext the identity IDi ∈ S, where S = {ID1, ··· ,IDn}. CT 0 = {C0 ,C0 } is generated using the algorithm En- B0 runs the algorithm Extract using the master key 1 2 to respond to all of A’s queries. crypt and χ1, χ2 ∈ Zq are randomly selected. The semi-functional ciphertexts are defined as ∗ ∗ Challenge: A outputs two challenge messages M0 ,M1 ∗ ∗ ∗ ∗ (SF ) 0 0 χ1d3+χ2d4 and two challenge sets S = {ID , ··· ,ID }, S = CT = {C1,C2} = {C1,C2 · g }. 0 01 0n 1 1 ∗ ∗ {ID11, ···ID1n}. B0 randomly picks a bit θ ∈ {0, 1} A hybrid argument over a sequence of games is used in and defines the ciphertext as follows: ∗ ∗ ∗ proof. The first game is the real security game. The ad- ∗ b1 α ID +···+ID C = M · e(T , g ) , C = T · (T ) θ1 θn . versary has no advantage unconditionally in the last game 1 θ 1 2 2 1 2 and makes qn private keys queries. We show that each Query 2: A continues to make the private key queries ∗ ∗ game is indistinguishable from the next. These games are on IDi where IDi ∈/ S0 ,S1 . described as follows: Guess: Eventually, A outputs a guess θ0 ∈ {0, 1}. A 0 Gamereal: This game is a real security game. wins the game if θ = θ. Let τ = z. If T , T are equal to gτ1b1 , gτ1b2 , then Gamek: For k = 1, ···, qn, Gamek is the same as Gamereal 1 1 2 1 1 with the limitations: CT = {C1,C2} is a properly distributed normal cipher- text. Hence, B0 has properly simulated Gamereal. τ1b1+τ2b3 τ1b2+τ2b4 1) The challenge ciphertext on the challenge set is If T1, T2 are equal to g1 , g1 , then CT = a semi-functional ciphertext. {C1,C2} is a properly distributed semi-functional cipher- ∗ 2) The first k private keys are semi-functional, and text. There is an additional term of τ2[b3 + b4(IDβ1 + ∗ the remaining private keys are normal. ··· + IDβn)] in the exponent of C2. To compute the coefficients in the basis d3, d4, we multiply the ma- The challenge ciphertext is semi-functional, all the trix A−1 by the transpose of this vector and obtain −1 ∗ ∗ T private keys are normal in Game0, the challenge ci- τ2A [1 + (IDβ1 + ··· + IDβn)] . Since the matrix A is phertext, and all the private keys are semi-functional random, these coefficients are uniformly random accord-

in Gameqn . ing to statistical indistinguishability lemma [19]. Hence, B0 has properly simulated Game0. GameF inal: This game is the same as Gameq except n B0 can leverage A’s advantage between Gamereal and that the challenge ciphertext is a semi-functional en- Game to achieve an advantage AdvDS1 = ε in solving 0 B0 cryption of a random message, instead of one of the DS1 problem. two challenge messages. Lemma 2. Assume that an adversary A makes at In the following four lemmas, we prove that these most q private key queries and such that AdvGamek−1 − Gamereal n A games are indistinguishable. Let AdvA be the ad- Gamek Adv = ε. Then there exists an algorithm Bk with vantage in Game , AdvGamek be advantage in Game , A real A k advantage AdvDS2 = ε − 1/q in solving the DS2 problem Gamefinal Bk and AdvA be advantage in Gamefinal. with (K,N) = (2, 4).

Lemma 1. Assume that there exists an adversary A such Proof. The algorithm Bk is given D = {G1, G2, GT , e, q, ∗ ∗ Gamereal Game0 b b that Adv − Adv = ε, then there exists an b1 b2 1 4 A A g1, g2, g1 , g1 , g2 , ···, g2 ,U1,U2, µ2} along with T1, T2. algorithm B with advantage AdvDS1 = ε in solving the 0 B0 The goal of Bk is to decide whether T1, T2 are distributed ∗ ∗ ∗ ∗ ∗ ∗ DS1 problem with (K,N) = (2, 4). τ1b1 τ1b2 τ1b1 +τ2b3 τ1b2 +τ2b4 as g2 , g2 or g2 , g2 . 2×2 Proof. The algorithm B0 is given D = {G1, G2, GT , e, q, Setup: Bk randomly picks an invertible matrix A ∈ ∗ ∗ Zq b1 b2 b1 b4 g1, g2, g2 , g2 , g1 , ··· , g1 ,U1,U2, µ2} along with T1, T2. and implicitly defines dual orthonormal bases D = ∗ ∗ ∗ ∗ ∗ The goal of B0 is to decide whether T1,T2 are distributed (d1, d2, d3, d4), D = (d1, d2, d3, d4) as follows: τ1b1 τ1b2 τ1b1+τ2b3 τ1b2+τ2b4 as g1 , g1 or g1 , g1 . d1 = b1, d2 = b2, (d3, d4) = (b3, b4)A, ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ −1 T Setup: B0 randomly selects an invertible matrix A ∈ d1 = b1, d2 = b2, (d3, d4) = (b3, b4)(A ) . 2×2 Zq and implicitly defines dual orthonormal bases ∗ ∗ ∗ ∗ ∗ D = (d1, d2, d3, d4), D = (d1, d2, d3, d4) as follows: Bk randomly chooses a value α ∈ Zq and sends the public parameters params = { 1, 2, T , e, q, g1, ∗ G G G αd1d1 d1 d2 d1 = b1, d2 = b2, (d3, d4) = (b3, b4)A, g2, e(g1, g2) , g1 , g1 } to the adversary A and ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ −1 T d1 d2 d1 = b1, d2 = b2, (d3, d4) = (b3, b4)(A ) . keeps the master key msk = {α, g2 , g2 } secret. International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 12

Query 1: A adaptively makes the private key queries on Proof. We prove that the joint distributions of the identity ID ∈ S, where S = {ID , ··· ,ID }. (SF ) (SF ) i 1 n {params, {SK }l∈[1,qn],CT ∗ } in Gameqn and that IDli IDθi Bk answers as follows: (SF ) (R) of {params, {SK }l∈[1,q ],CT ∗ } in GameF inal IDli n IDRi (R) 1) i < k, Bk firstly runs the algorithm Extract are equivalent for A’s view, where CT ∗ is a semi- IDRi using the master key to produce the normal pri- functional encryption of a random message. d∗ d∗ vate keys. Since B knows g 3 , g 4 , it can easily k 2 2 We randomly pick a matrix A = (ξ ) ∈ 2×2 and produce the semi-functional private keys. i,j Zq define new dual orthonormal bases F = (f1, ··· , f4) and ∗ ∗ ∗ 2) i > k, Bk runs the algorithm Extract using the F = (f1 , ··· , f4 ) as follows: master key to produce the normal private keys. 1 i−1 i+1 3) i = k, Bk randomly chooses r1, ··· , r1 , r1 ,       n i f1 1 0 0 0 d1 ··· , r1 ∈ Zq and implicitly sets r1 = τ1 and  f2   0 1 0 0   d2  computes SKIDi = {k1, k2} as follows:   =     , ∗ f3 ξ1,1 ξ1,2 1 0 d3 αb1 IDi −1       k1 = g2 · T1 · T2 , f ξ ξ 0 1 d 1 i−1 i+1 n ∗ 4 2,1 2,2 4 (r1 +···+r1 +r1 +···+r1 )(ID1+···+IDn)]b1 k2 = g  ∗     ∗  2 f1 1 0 −ξ1,1 −ξ2,1 d1 −(r1+···+ri−1+ri+1+···+rn)b∗ ·g 1 1 1 1 2 f ∗ 0 1 −ξ −ξ d∗ 2  2  =  1,2 2,2   2  (ID1+···+IDi−1+IDi+1+···+IDn)  ∗     ∗  ·T  f3   0 0 1 0   d3  1 ∗ ∗ ∗ ∗ f 0 0 0 1 d τ1b1 τ1b2 4 4 If T1, T2 are equal to g2 , g2 , SKIDi = {k1, k2} is a properly distributed normal key. ∗ ∗ ∗ ∗ ∗ τ1b1 +τ2b3 τ1b2 +τ2b4 It is easy to verify that F and F are also dual orthonor- If T1, T2 are equal to g , g , 2 2 mal, and are distributed the same as D and D∗. SKIDi = {k1, k2} is a semi-functional key, whose exponent vector includes τ2[(ID1 + ··· + The system parameters, private keys and the chal- ∗ ∗ (SF ) (SF ) IDn)b3 − b4] as its component in the span lenge ciphertext {params, {SK }l∈[1,qn],CT ∗ } in ∗ ∗ IDli IDθi of b3, b4. To compute the coefficients in ∗ T Gameqn are expressed over the bases D and D as fol- the basis d3, d4, we multiply the matrix A lows: by the transpose of this vector and obtain ∗ T T αd1d1 d1 d2 τ2A [(ID1 + ··· + IDn) − 1] . params = {G1, G2, GT , g1, g2, e, q, e(g1, g2) , g1 , g1 } (SF ) ∗ ∗ {SK }l∈[1,q ] = Challenge: A outputs two challenge messages M ,M IDli n 0 1  (α+riID )d∗−rid∗+v d∗+v d∗  ∗ ∗ ∗  k = g l li 1 l 2 1,l 3 2,l 4  and two challenge sets S0 = {ID01, ··· ,ID0n},  1 2   (r1+···+ri−1+ri+1+···+rn)(ID +···+ID )d∗  ∗ ∗ ∗  l l l l l1 ln 1  S1 = {ID11, ··· ,ID1n}. Bk randomly picks a bit  k2 = g2   i ∗  θ ∈ {0, 1} and defines the semi-functional ciphertext rl (IDl1+···+IDli−1+IDli+1+···+IDln)d1 ·g2  −(r1+···+ri−1+ri+1+···+rn)d∗  as follows:  l l l l 2   ·g2  ∗ ∗ ∗  ∗ ∗  ∗ b1 α (IDθ1+···+IDθn)  v˙1,ld3 +v ˙2,ld4  C1 = M · e(U1, g ) , C2 = U1 · U .  ·g  θ 2 2 2 l∈[1,qn] B sets z = u . To calculate the coefficients of (SF ) ∗ k 1 ∗ αzd1d1 −1 CTID∗ = {C1 = Mθ · e(g1, g2) , the basis d3, d4, we multiply the matrix A by θi ∗ ∗ zd1+z(IDθ1+···+IDθn)]d2+χ1d3+χ2d4 ∗ ∗ C2 = g }. the vector u2[1 + (IDθ1 + ··· + IDθn)] and obtain 1 −1 ∗ ∗ ∗ u2A [1 + (IDθ1 + ··· + IDθn)]. Since A is random, They are expressed over the bases F and F as follows: these coefficients of d3, d4 are uniformly random ac- ∗ f f αf1f1 1 2 cording to statistical indistinguishability lemma [19]. params = {G1, G2, GT , g1, g2, e, q, e(g1, g2) , g1 , g1 } {SK(SF )} = IDli l∈[1,qn] Query 2: A continues to make the private key queries i ∗ i ∗ 0 ∗ 0 ∗  (α+r IDli)f −r f +v f +v f  ∗ ∗ l 1 l 2 1,l 3 2,l 4  k1 = g2  on IDi where IDi ∈/ S0 ,S1 .  i−1 i+1   (r1+···+r +r +···+rn)(ID +···+ID )f ∗   l l l l l1 ln 1   k2 = g2  0  ri(ID +···+ID +ID +···+ID )f ∗  Guess: Eventually, A outputs a guess θ ∈ {0, 1}. A ·g l l1 li−1 li+1 ln 1 0 2 wins the game if θ = θ.  −(r1+···+ri−1+ri+1+···+rn)f ∗   l l l l 2   ·g2   v˙ 0 f ∗+v ˙ 0 f ∗   ·g 1,l 3 2,l 4  Therefore, according to the distribution of T1 and T2, 2 l∈[1,qn] Bk has properly simulated either Gamek−1 or Gamek. (SF ) ∗ ∗ αzf1f1 CT ∗ = {C1 = Mθ · e(g1, g2) , Bk can leverage A’s advantage between these games to IDθi z0 f +z0 f +χ f +χ f achieve an advantage AdvDS2 = ε − 1/q in solving the 1 1 2 2 1 3 2 4 Bk C2 = g1 }. DS2 problem. where Game qn z0 = z − χ ξ − χ ξ , Lemma 3. For any adversary A, we have AdvA = 1 1 1,1 2 2,1 Game Adv F inal . 0 ∗ ∗ A z2 = z(IDθ1 + ··· + IDθn) − χ1ξ1,2 − χ2ξ2,2, International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 13

Table 1: Comparison I of IBBE schemes Schemes System Parameter Size Private Key Size Ciphertext Size Decryption [3] |G1| + (m + 1)|G2| + |GT | |G1| |G1| + |G2| + |GT | 2P [8]2 (m + 1)|G0| + |GT | |G0| 2|G0| + |GT | 2P [8]3 4m|G0| 2|G0| 4|G0| + |GT | 2P ∗ ∗ [25] 7|G0| + 3|Zq | (|S| + 2)|G0| 5|G0| + |Zq | 3P [33] (m + 2)|G0| + |GT | 3|G0| 3|G0| 2P [13] (2m + 3)|G0| + |GT | (|S| + 4)|G0| 4|G0| + |GT | 4P [35] (m + 4)|G0| + |GT | (|S| + 1)|G0| 3|G0| 2P [31] m(|G1| + |G2|) + |GT | 3|S||G1| |G1|+|G2|+|GT | 2P [26] |G1| + m|G2| + |GT | |S||G2| |S||G1|+|GT | 2P ∗ [9] |G0| + |GT | + |Zq | |G0| |S||GT| P ∗ [10] 5|G0| |G0| 3|G0| + (|S| + 1)|Zq | 2P [32] |G0| + |GT | |G0| 2|G0| + 2|S||GT| 2P ∗ [11] 3|G0| 2|G0| 2|G0| + 2|S||Zq | 2P [23] 24|G0| + |GT | 6|G0| 6|G0| + |GT | 6P Our 8|G1| + |GT | 4|G2| 4|G1| + |GT | 4P

 v0 = v + (α + riID )ξ − riξ  1,l 1,l l li 1,1 l 1,2 Proof. In GameF inal, the value θ selected is inde-  v0 = v + (α + riID )ξ − riξ   2,l 2,l l li 2,1 l 2,2  pendent from the adversary A’s view. Therefore,  0 1 i−1 i+1 n   v˙1,l =v ˙1,l + (rl + ··· + rl + rl + ··· + rl )  GameF inal   AdvA (λ) = 0. The challenge ciphertext is a semi-  (IDl1 + ··· + IDln)ξ1,1   i  functional encryption of a random message, independent +rl (IDl1 + ··· + IDli−1 + IDli+1 + ··· + IDln)ξ1,1 1 i−1 i+1 n of the two challenge messages and the challenge iden- −(rl + ··· + rl + rl + ··· + rl )ξ1,2  0 1 i−1 i+1 n   v˙ =v ˙2,l + (r + ··· + r + r + ··· + r )  tity sets chosen by A. Therefore, the proposed scheme  2,l l l l l   (IDl1 + ··· + IDln)ξ2,1  is anonymous (weakly attribute-hiding).  i   +rl (IDl1 + ··· + IDli−1 + IDli+1 + ··· + IDln)ξ2,1   1 i−1 i+1 n  −(r + ··· + r + r + ··· + r )ξ2,2 l l l l l∈[1,qn] which are all uniformly distributed because ξ1,1, ξ1,2, ξ2,1, ξ2,2, v1,1, v2,1, ···, v1,q , v2,q , v˙1,1, v˙2,1, ··· , v˙1,q , v˙2,q are n n n n Theorem 1. The proposed scheme is fully secure all uniformly chosen from Zq. That is to say, the coefficients z[1, (ID∗ +···+ID∗ )] and anonymous under the symmetric external Diffie- β1 βn Hellman assumption. Specifically, if any adversary A of d1, d2 in the C2 term of the challenge ciphertext is 0 0 n breaks the proposed scheme, there exist the algorithms changed to random coefficients (z1, z2) ∈ Zq of f1, f2, thus B ,B , ··· ,B with advantage the challenge ciphertext can be seen as a semi-functional 0 1 qn encryption of a random message. Furthermore, all coef- 0 0 ∗ ∗ (SF ) qn ficients {(v ˙ , v˙ )}l∈[1,q ] of f , f in the SK are all DS1 DS2 qn 1,l 2,l n 3 4 IDli Adv ≤ Adv + P Adv + , ∗ ∗ A B0 Bk q uniformly distributed because {(v ˙1,l, v˙2,l)}l∈[1,qn] of d3, d4 k=1 are all independent random values. Therefore, whose running time is essentially equal to that of A.

(SF ) (SF ) {params, {SK }l∈[1,qn],CT ∗ } Proof. From Lemma 1-4, we obtain Theorem 1. IDli IDθi expressed over bases F and F∗ is properly distributed as 5.3 Efficiency

(SF ) (R) We compare the proposed scheme with the existing re- {params, {SK }l∈[1,q ],CT ∗ } IDli n IDRi lated works [3, 8–11, 13, 23, 25, 26, 31–33, 35] in terms of performance and security. We denote by m and |S| the in GameF inal. maximal size of receivers set and that for one encryp- ∗ ∗ In terms of A’s view, both (D,D ) and (F,F ) are iden- tion, respectively. We also denote by |GX | and |G0| the tical under the same public system parameters. Hence, length of the group GX and the group of symmetric bi- the private keys and challenge ciphertext can be depicted linear pairs, where X ∈ {0, 1, 2,T }. Let P the pairing ∗ in two manners, in Gameqn over bases (D,D ) and in computation. ∗ GameF inal over bases (F,F ). Therefore, Gameqn and We summarize the comparisons of the fifteen schemes GameF inal are statistically indistinguishable. in Tables 1-2. The System Parameter Size column, Pri- vate Key Size column and Ciphertext Size column indi- GameF inal Lemma 4. For any adversary A, we have AdvA cates the length of system parameter, private key and = 0. ciphertext, respectively. The Decryption stands for the International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 14

Table 2: Comparison II of IBBE schemes Schemes Hard Problem Security Model Standard Model Prime Order Group Anonymity √ [3] D-GDHE Selective Security √× √ × [8]2 D-BDHE Fully Secure √ √ × [8]3 D-BDHE Fully Secure √ √ × [25] D-TBDE Fully Secure √ × [33] DLIN Fully Secure √ × × [13] GSD Fully Secure √ ×√ × [35] DLIN Fully Secure √ √× √ [31] D-BDHE Fully Secure √ √ [26] DBDH Fully Secure × √ √ [9] DBDH Fully Secure × √ √ [10] DBDH Fully Secure × √ √ [32] DBDH Selective Secure × √ √ [11] DBDH Fully Secure √× √ [23] DLIN Fully Secure √ √ √× Our SXDH Fully Secure

number of pairing computation in the algorithm decryp- of group |G2| is 2560 bits, the bit length of group |GT | is tion. The Hard Problem column specifies the security 15360 bits. assumption that the schemes rely on. The Security Model We give the relationship between the system param- column shows the selective security or fully secure (adap- eter size and the maximal size of the set of receivers in tive security) that the schemes achieve. The Standard Figure 2, the relationship between the private key size Model column demonstrates whether the scheme is se- and number of recipients in a single encryption process in cure in standard model. The Prime Order Group col- Figure 3 and the relationship between the ciphertext size umn means whether the scheme is secure in the group of and number of recipients in a single encryption process in prime order. The Anonymity column describes whether√ Figure 4. the scheme achieves anonymity property. The entry indicates “satisfy” and × refers to “not satisfy”. #105 6 [3] [8]-2 From Tables 1-2, we can see that the proposed scheme [8]-3 5 [21] is the provably secure (fully secure) anonymous IBBE [29] [12] scheme. We note that the computation of the pairing 4 [31] [27] is the most consuming. Although there have been many [22] [9] 3 papers discussing the complexity of pairings and how to [10] [28] [11] speed up the pairing computation, the pairing computa- 2 [19] tion is the operation which by far takes the most running size parameter System our time. In decryption phase, our scheme needs 4 pairing 1 computations and is more efficient than the scheme in [23] 0 that needs 6 pairing computations. Moreover, the pro- 0 5 10 15 20 25 30 35 40 45 50 The maximal size of the set of receivers is m posed scheme satisfies the anonymity. Thus, our scheme outperforms the scheme in [23] in terms of security and Figure 2: System parameter size versus maximal size of computational efficiency in decryption phase. At the same the set of receivers time, although the scheme in [9] needs one pairing com- putation, the schemes in [3,8,10,11,26,31–33,35] need two From Figures 2-4, we find that the system parameter pairing computations and the scheme in [25] needs three size, the private key size and the ciphertext size in the pairing computations, the schemes in [3, 8, 26, 31, 33, 35] proposed scheme are constant and smaller than that in haven’t constant-size system parameters, the schemes scheme [23]; the private key size in schemes [3,8–11,32,33] in [25, 26, 31, 35] haven’t constant-size private keys, and are constant and smaller than that of the proposed the schemes in [10, 11, 32] haven’t constant-size cipher- scheme, but the system parameter size increase quickly texts. But, the proposed scheme can simultaneously sat- when the maximal size of receivers set become bigger in isfy constant-size system parameters, private keys and ci- schemes [3, 8, 33] and the ciphertext size increase quickly phertexts. when the number of recipients in a single encryption pro- ∗ We assume that |Zq | = 256 bits. Under the level of cess become bigger in schemes [9–11, 32]; the ciphertext 256-bit AES security, the bit length of group |G0| is 2560 size in schemes [25,35] are constant and smaller than the bits, the bit length of group |G1| is 640 bits, the bit length proposed scheme, however the private key size increase International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 15 quickly when the number of recipients in a single encryp- References tion process become bigger in schemes [25,35]; the system parameter size and the private key size are not constant in [1] D. Boneh, C. Gentry, and B. Waters, “Collusion schemes [26, 31]. Therefore, our proposed scheme is fully resistant broadcast encryption with short cipher- secure anonymous IBBE scheme with group of prime or- texts and private keys,” in Advances in Cryptology der in the standard model, which satisfies simultaneously (CRYPTO’05), pp. 258–275, 2008. the constant-size of system parameters, private keys and [2] J. Chen, H.W. Lim, S. Ling, H. Wang, and H. Wee, ciphertexts. “Shorter IBE and signatures via asymmetric pair- ings,” in Proceedings of International Conference on Pairing-Based Cryptography (Pairing’12), pp. 122– #104 7 [3] 140, 2012. [8]-2 6 [8]-3 [3] C. Delerable, “Identity-based broadcast encryption [21] [29] with constant size ciphertexts and private keys,” in 5 [12] [31] Advances in Cryptology (ASIACRYPT’07), pp. 200– [27] 4 [22] 215, 2007. [9] [10] 3 [28] [4] C. Delerable, P. Paillier, and D. Pointcheval, “Fully

Private key size key Private [11] [19] collusion secure dynamic broadcast encryption with 2 our constant-size ciphertexts or decryption keys,” in 1 Proceedings of International Conference on Pairing-

0 Based Cryptography (Pairing’07), pp. 39–59, 2007. 0 2 4 6 8 10 12 14 16 18 20 Number of recipients in a single encryption process |S| [5] Y. Dodis and N. Fazio, “Public key broadcast en- cryption secure against adaptive chosen ciphertext Figure 3: Private key size versus number of recipients in attacks,” in Proceedings of International Workshop a single encryption process on Theory and Practice in Public Key Cryptography

#105 (PKC’03), pp. 100–115, 2003. 7 [3] [6] A. Fiat and M. Naor, “Broadcast encryption,” in [8]-2 6 [8]-3 Advances in Cryptology (CRYPTO’93), pp. 480–491, [21] [29] 1993. 5 [12] [31] [27] [7] D. Freeman, “Converting pairing-based cryptosys- 4 [22] [9] tems from composite-order groups to prime-order [10] 3 [28] groups,” in Advances in Cryptology (EURO-

Ciphertext size size Ciphertext [11] [19] 2 CRYPT’10), pp. 44–61, 2010. our [8] C. Gentry and B. Waters, “Adaptive security 1 in broadcast encryption systems (with short ci- 0 phertexts),” in Advances in Cryptology (EURO- 0 2 4 6 8 10 12 14 16 18 20 Number of recipients in a single encryption process |S| CRYPT’09), pp. 171–188, 2009. [9] K. He, J. Weng, M. Au, Y. Mao, and R. H. Deng, Figure 4: Ciphertext size versus number of recipients in “Generic anonymous identity-based broadcast en- a single encryption process cryption with chosen-ciphertext security,” in Pro- ceedings of Australasian Conference on Informa- tion Security and Privacy (ACISP’16), pp. 207–222, 6 Conclusion 2016. [10] K. He, J. Weng, J. N. Liu, J. K. Liu, W. Liu, In this paper, we propose a new anonymous IBBE scheme and R. H. Deng, “Anonymous identity-based broad- with group of prime order using the asymmetric bilin- cast encryption with chosen-ciphertext security,” in ear pairing. Under the dual system encryption method- Proceedings of ACM on Asia Conference on Com- ology, we showed that the proposed scheme satisfies the puter and Communications Security (ASIACCS’16), fully secure in the standard model. In addition, the pro- pp. 247–225, 2016. posed scheme has constant size system parameters, pri- [11] K. He, J. Weng, Y. Mao, and H. Yuan, “Anonymous vate keys and ciphertexts, and achieves the receiver iden- identity-based broadcast encryption technology for tity anonymity. smart city information system,” Personal and Ubiq- uitous Computing, vol. 4, pp. 1–13, 2017. [12] M. S. Hwang, C. C. Lee, T. Y. Chang, “Broadcasting Acknowledgments cryptosystem in computer networks using geometric properties of lines”, Journal of Information Science This work was supported by the Natural Science and Engineering, vol. 18, no. 3, pp. 373–379, May Foundation of Shaanxi Province (No.2018JM6081) and 2002. the Project of Science and Technology of Xi’an City [13] J. Kim, W. Susilo, M. H. Au, and J. Seberry, “Adap- (2017088CG/RC051(CADX002)). tively secure identity-based broadcast encryption International Journal of Network Security, Vol.21, No.1, PP.7-16, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).02) 16

with a constant-sized ciphertext,” IEEE Transac- [26] Y. Ren, Z. Niu, and X. Zhang, “Fully anonymous tions on Information Forensics and Security, vol. 10, identity-based broadcast encryption without ran- no. 3, pp. 679–693, 2015. dom oracles,” Internatinal Journal Network Security, [14] A. V. N. Krishna, A. H. Narayana, K. M. Vani, vol. 16, no. 4, pp. 256–264, 2014. “Window method based cubic spline curve public key [27] A. Shamir, “Identity-based cryptosystems and cryptography,” International Journal of Electronics signature schemes,” in Advances in Cryptology and Information Engineering, vol. 4, no. 2, pp. 94– (CRYPTO’84), pp. 47–53, 1984. 102, 2016. [28] J. Sun, Y. Hu, and L. Zhang, “A key-policy [15] J. Lai, Y. Mu, F. Guo, and R. Chen, “Fully privacy- attribute-based broadcast encryption,” The Inter- preserving ID-based broadcast encryption with au- national Arab Journal of Information Technology, thorization,” The Computer Journal, vol. 60, no. 12, vol. 10, no. 5, pp. 444–452, 2013. pp. 1809–1821, 2017. [29] W. Susilo, R. Chen, F. Guo, G. Yang, Y. Mu, and [16] J. Lai, Y. Mu, F. Guo, W. Susilo, and R. Chen, Y. W. Chow, “Recipient revocable identity-based “Anonymous identity-based broadcast encryption broadcast encryption,” in Proceedings of ACM on with revocation for file sharing,” in Proceedings Asia Conference on Computer and Communications of Australasian Conference on Information Security Security (ASIACCS’16), pp. 201–210, 2016. and Privacy (ACISP’16), pp. 223–239, 2016. [30] B. Waters, “Dual system encryption: Realizing fully [17] J. Lai, Y. Mu, F. Guo, W. Susilo, and R. Chen, secure IBE and HIBE under simple assumptions,” in “Fully privacy-preserving and revocable ID-based Advances in Cryptology (CRYPTO’09), pp. 619–636, broadcast encryption for data access control in smart 2009. city,” Personal and Ubiquitous Computing, vol. 21, [31] L. Xie and Y. Ren, “Efficient anonymous identity- no. 5, pp. 855–868, 2017. based broadcast encryption without random ora- [18] C. C. Lee, T. Y. Chang, M. S. Hwang, “A sim- cles,” International Journal of Digital Crime and ple broadcasting cryptosystem in computer networks Forensics, vol. 6, no. 2, pp. 40–51, 2014. using exclusive-OR”, International Journal of Com- [32] P. Xu, J. Li, W. Wang, and H. Jin, “Anony- puter Applications in Technology, vol. 24, no. 3, pp. mous identity-based broadcast encryption with con- 180–183, 2005. stant decryption complexity and strong security,” in [19] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, Proceeding of ACM on Asia Conference on Com- and B. Waters, “Fully secure functional encryp- puter and Communications Security (ASIACCS’16), tion: attribute-based encryption and (hierarchical) pp. 223–233, 2016. inner product encryption,” in Advances in Cryptol- [33] L. Zhang, Y. Hu, and Q. Wu, “Adaptively se- ogy (EUROCRYPT’10), pp. 62–91, 2010. cure identity-based broadcast encryption with con- [20] A. Lewko and B. Waters, “New techniques for dual stant size private keys and ciphertexts from the system encryption and fully secure HIBE with short subgroups,” Mathematical and Computer Modelling, ciphertexts,” in Procddeings of Theory of Cryptogra- vol. 55, no. 1, pp. 12–18, 2012. phy Conference (TCC’10), pp. 455–479, 2010. [34] L. Zhang, Z. Wang, and Q. Wu, “Leakage-resilient [21] B. Libert, K. G. Paterson, and E. A. Quaglia, anonymous identity-based broadcast encryption in “Anonymous broadcast encryption: adaptive se- the standard model,” in Proceeding of International curity and efficient constructions in the standard Conference on Algorithms and Architectures for Par- model,” in Proceedings of International Workshop allel Processing (ICA3PP’15), pp. 201–210, 2015. on Theory and Practice in Public Key Cryptography [35] L. Zhang, Q. Wu, and Y. Mu, “Anonymous identity- (PKC’12), pp. 206–224, 2012. based broadcast encryption with adaptive security,” in Proceedings of the Symposium on Cyberspace [22] L. Liu and Z. Cao, “A note on efficient algorithms Safety and Security (CSS’13), pp. 258–271, 2013. for secure outsourcing of bilinear pairings,” Interna- tional Journal of Electronics and Information Engi- Yang Ming received the B.S. and M.S. degrees from neering, vol. 5, no. 1, pp. 30–36, 2016. Xi’an University of Technology in 2002 and 2005 respec- [23] Y. Ming and Y. Wang, “Identity based broadcast tively, and the Ph.D. degree in cryptography from Xid- encryption with group of prime order,” The Inter- ian University in 2008. Currently he is a supervisor of national Arab Journal of Information Technology, postgraduate and professor of Chang’an University. His vol. 13, no. 5, pp. 531–541, 2016. research interests include cryptography and information [24] T. Okamoto and K Takashima, “Fully secure func- security. tional encryption with general relations from the de- cisional linear assumption,” in Advances in Cryptol- Hongping Yuan received the B.S. degrees from Nanyang ogy (CRYPTO’10), pp. 191–208, 2010. Institute of Technology in 2014. Currently she is a post- [25] Y. Ren and D. Gu, “Fully CCA2 secure iden- graduate of Chang’an University. His research interests tity based broadcast encryption without random include cryptography and public key encryption. oracles,” Information Processing Letters, vol. 109, no. 11, pp. 527–533, 2009. International Journal of Network Security, Vol.21, No.1, PP.17-21, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).03) 17

On The Secrecy Performance of Wireless Powered Device to Device Systems

Dinh-Thuan Do (Corresponding author: Dinh-Thuan Do)

Faculty of Electronics Technology, Industrial University of Ho Chi Minh City 12 Nguyen Van Bao Street, Go Vap District, Ho Chi Minh city, Vietnam (Email: [email protected]) (Received May 25, 2017; revised and accepted Oct. 21, 2017)

Abstract mission to the allocated spectrum under required inter- ference levels. Several applications including peer-to-peer This paper investigates a new device-to-device (D2D) file sharing, high resolution services, video on demand, paradigm to evaluate system security at physical layer and content-aware applications are goals of design in the for the D2D link in which the energy harvesting-assisted distinctive D2D networks. In current research works and node can communicate to satisfy quality of service (QoS) literature, D2D links and cellular UEs can be enabled for and help the conventional system with D2D capability spectrum sharing mode selection in a wireless network as against to eavesdropper. To cope with high security, the studied work in [16] and [13]. Resource optimization in D2D deploys the lower layer with using cooperative jam- time frequency hopping based D2D networks was devel- ming to eliminate impacts of illegal users. Considering oped in [12]. To minimize the total transmission power, relay node with capability of wireless energy harvesting, power allocation schemes are investigated in D2D com- this paper attempts to investigate secure performance in munications with aims of the quality-of-service (QoS) re- case of power splitting fractions is controlled to improve quirement of users in [11]. the secrecy capacity. In particular, this work analyzes the To consider security of D2D wireless networks, physical secrecy capacities for direct connection, namely D2D links layer security is proposed as an approach which based on and traditional connections. As an important achieve- the information theoretic assessment to examine the secu- ment, simulation results show the performance to deploy rity performance, especially in green communications can our proposed scheme to remain secure requirements in be extended to secure requirement [1]. In particular, D2D each D2D link in terms of the expected secrecy capacity. protocol with security analysis is designed suitable for Keywords: Device-To-Device; Energy Harvesting; Power Public Safety (PS) users with out-of-coverage users con- Splitting; Secrecy Capacity sidering on sharing encryption keys [8] and J. S Chen et al. in [2], in which system model including source node, destination node, and an unwanted eavesdropper was es- 1 Introduction tablished. As typical example, the authors in [10] pro- posed a D2D security architecture can be applied in the Device to device (D2D) equipment has been examined LTE system and several propositions on D2D security is- as an inspiring solution to the frequency and channel re- sues. Such solutions can be introduced as authentication source shortage of the base station in cellular networks and key management, secure routing, access control, and and inefficiency in its utilization [11–13, 16]. It can be physical-layer security. shown that D2D can be combined to traditional cellular Moreover, potential overhearing attacks from third network, in which D2D can support more service assur- parties can be degraded wireless communication in the ance in a dense users circumstance, in which the two user natural transmission environment and result in reliable equipment unit (UE) can be able linked with other UE problem of the private information transmitted over re- in the pair of D2D users directly under assigned D2D laying networks [15], it denotes as eavesdroppers. Some link of the cellular resource to reduce processing at core other physical-layer security (PLS) methods have been equipment. Such D2D link can be self-operated without implemented in relaying system model to guarantee se- added controlling signal through the normal base station cure data transmission [17]. The authors of [9] considered (BS). In theory, several kinds of gain such as the proxim- the secrecy rate maximization problem in the multiple- ity gain, the recycle gain, the hop gain, and the paring input single-output (MISO)-assisted relaying network by gain are included in D2D communication permits fast ad- improving the transmit covariance matrix with two con- International Journal of Network Security, Vol.21, No.1, PP.17-21, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).03) 18

link, N denotes as traditional user (non-D2D user). It is assumed that S, E, N and D are furnished with a single antenna. It is noted that D assumed no external power supply, and only relies on harvested energy from S for transmitting signal. The considered system applies power splitting (PS) protocol in the energy-aware receiver at D to process information and energy signal. It is assumed that all links are modeled as independent and identical Rayleigh fading. We denote hab is channel of link from node a to node b while Pa stands for power at node a. In particular, each D2D user is controlled by base station in initial period, and then D2D can be freely communi- cate each other in next period. It is also assumed that Figure 1: Secure D2D system model the channel state information is available. In case imper- fect channel estimation, the system performance will be reduced but it is beyond of scope of this paper. In con- ditions of the transmit power and the interference tem- ventional principle, the characteristic of the channel state perature. In [18], some multi-user scheduling policies are information can be assessed by training sequence and ana- given to develop the PLS for cognitive radio networks log feedback. The harvested power can be obtained at D against two kinds of the attackers, namely coordinated (D2D user) is: 2 and uncoordinated ones. Two sub-optimal procedures us- PD = ρηPS|hSD| ing a full or partial orthogonal projection were planned where with ( 0 < ρ < 1 ) is power splitting coefficient, 0 < to maximize the available relay node of a cognitive users η < 1 is energy conversion efficiency of energy harvesting is investigated in [3]. protocol. The harvested power can be obtained at N (non- In this paper, D2D link is experienced in energy har- D2D user) is: vesting (EH) capability and the physical-layer security P = ρηP |h |2 method is added to protect the confidential signal to N S SN against malicious eavesdropping and energy harvesting The information signal received at D is expressed by based protocols are investigated in [4–7]. The authors √ p p in [5–7] presented two-way relating network while the yD = ϕ( PShSDXS + nD) + PN hNDXN + nc work in [4] proved that the relay can be forwarded sig- nal thanks to harvesting wireless power from the source where XS is the transmitted symbol at S, and nc is the node. In principle, simultaneous wireless information and power splitting (PS) factor, and, denotes as the signal power transfer (SWIPT) to bring electromagnetic wave processing noise at D, which is also modeled as AWGN to energy bearing for assigned users. To integrate EH to with zero mean and a variance of N0 . It is noted that D2D network, D2D scheme in each link will be operated the power splitting factors satisfy condition ρ + ϕ = 1. It under wireless energy support including energy transfer worth noting that N node can be made interference to the 2 phase and information processing phase. The main duty nearby nodes. It is noted that ED = ρηPS|hSD| T is the is careful calculation of power fraction to satisfy the se- energy harvested from S and stored in battery to use for crecy capacity of the D2D system. next processing, in which T is the symbol duration. The rest of this paper is organized as follows. In Sec- Next, we compute the received signal at E by tion II, we will interpret our system model. In Section III, p p we formulate our closed-form expression and develop the yE = PShSEXS + PN hNEXN + nE probability of strictly positive secrecy capacity (SPSC) where n is the AWGN with zero mean and a variance of to examine secure performance problem. The asymptotic E N . analysis is illustrated in Section IV, and Section V con- 0 Thus, by considering the signal-to-interference-plus- cludes the paper [14]. noise ratio (SINR) at D and E node, they are expressed as

2 2 System Model ϕPS|hSD| γD = 2 PN |hND| + ϕN0 + N0 In this paper, Figure 1 shows a wireless-powered device to ϕP |h |2 device (D2D) system in underlay cellular network under S SD = 2 2 security consideration. In such model, the representative ρηPS|hSN | |hND| + ϕN0 + N0 nodes are considered: A D2D user denoted as source (S), and a base station (BS), a D2D user stands for destination 2 2 (D) and an eavesdropper (E) in the coverage area of D2D PS|hSE| PS|hSE| γE = 2 = 2 2 links, and D node can be able harvest energy in the D2D PN |hNE| + N0 ρηPS|hSN | |hNE| + N0 International Journal of Network Security, Vol.21, No.1, PP.17-21, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).03) 19

In high SNR, we have SNR as below Besides, we have

y 2 ∞ ϕ|hSD| R Rx γD ≈ F (y) = f 2 (z)f 2 (x)dxdz ρη|h |2|h |2 Y1 |hSE | |hND | SN ND 0 0 ∞ R y 2 2 = F|hSE | ( x )f|hND | (x)dx 0 3 Probability of Strictly Positive ∞ = R (1 − exp(− y 1 )). 1 exp(− 1 x)dx x ΩSE ΩND ΩND Secrecy Capacity (SPSC) 0 ∞ = R 1 exp(− 1 x)dx Regarding secure performance, we evaluate this expres- ΩND ΩND 0 sion as ∞ − R 1 exp(− y 1 ) exp(− 1 x)dx ΩND x ΩSE ΩND Cs = max{RD − RE, 0} 0 ∞ = 1 − 1 R exp(−(− y 1 − 1 x))dx in which, the instantaneous achievable rates can be shown ΩND x ΩSE ΩND as 0 q y q y = 1 − 2 Ω Ω K1(2 Ω Ω ) RD = log2(1 + γD) SE ND SE ND and in which K1(.) is Bessel function with second kind of first RE = log2(1 + γE) order. In next step, the PDF of Y = y1 is formulated as [14]: In such D2D system, SPSC is defined as the probability y2 ∞ of the secrecy capacity is greater than zero. R fY (y) = xfY1 (yx)fy2 (x)dx 0 PSPSC = Pr(CS > 0) ∞ 2 R x q yx = x exp(− )K0(2 )dx ΩSE ΩND ΩNE ΩNE ΩSE ΩND 0 It is required high security in D2D, we assume that γD > q 1 ΩNE − yΩNE yΩNE = y 2 exp( )W 3 ( ) γE, then the secrecy rate can be re-expressed as ΩSE ΩND 2ΩSE ΩND − 2 ,0 ΩSE ΩND

 2 2 2  ρη|hSN | |hND | +ϕ|hSD | in which Wλ,µ(.) is Whittaker function. 1 + γ  2 2 C = log D = log ρη|hSN | |hND | Finally, it can be obtained SPSC formula as S 2 2  |h |2+ρη|h |2|h |2  1 + γE SE SN NE ρη|h |2|h |2 SN NE ∞ y Z Z Therefore, the expression of is expressed by Pr(Cs > 0) = 1 − fX (x)fY (y)dxdy 0 0     1 + γD ∞ Pr(Cs > 0) = Pr log2 > 0 Z 1 1 + γE = 1 − (1 − exp(− y))fY (y)dy   2 2 2   ϕΩSD ρη|hSN | |hND | +ϕ|hSD | 0 ρη|h |2|h |2 SN ND ∞ = Pr log 2 2 2 > 0  2  |hSE | +ρη|hSN | |hNE |   Z 2 2 1 ρη|hSN | |hNE | = exp(− y)f (y)dy ϕΩ Y Y Y SD = Pr(X > 1 ) = 1 − Pr(X ≤ 1 ) 0 ∞ Y2 Y2 Z " r # 1 ΩNE − 1 = exp(− y) y 2 A dy 2 2 2 We denote X = ϕ|hSD| , Y1 = |hND| |hSE| and Y2 = ϕΩSD ΩSEΩND 2 0 |hNE| . The CDF of X can be expressed as:

yΩNE yΩNE where A = exp( )W− 3 ,0( ) 1 x 2ΩSE ΩND 2 ΩSE ΩND fX (x) = exp(− ) ϕΩSD ϕΩSD 4 Simulation and x FX (x) = 1 − exp(− ) In this section, empirical parameters will be adopted to ϕΩ SD examine the secrecy performance of D2D system. The It can be expressed PDF and CDF of Y 1 as follow [14]: D2D system distributes between D2D users and non-D2D user. In this section, numerical results are presented. Un- ∞ Z 1 y less otherwise explicitly specified, the parameters are set f (y) = f 2 ( )f 2 (x)dx Y1 x |hSE | x |hND | as transmit SNR equals to 20 (dB), channel gains equal 0 to 1, η = 0.9 , and α = hSD/hSE. ∞ In Figure 2, we plot the secrecy capacity versus α. In 1 1 Z 1 1 y 1 = exp(− − x)dx this observation, we can figure out that the secrecy capac- ΩSE ΩND x ΩSE x ΩND 0 ity increases when more power is allocated for the energy International Journal of Network Security, Vol.21, No.1, PP.17-21, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).03) 20

1 1

0.95 0.95 0.9

0.85 0.9

0.8

0.85 0.75 SPSC

SPSC α=0, 5, 10 (dB) 0.7 0.8 0.65

0.75 0.6

Simulation 0.55 Analysis 0.7 −10 −8 −6 −4 −2 0 2 4 6 8 10 0.5 α(dB) 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 ρ

Figure 2: Secure performance D2D versus α Figure 4: SPSC versus power splitting fractions

1 5 Conclusion 0.95

0.9 This paper has considered the secrecy performance in D2D networks with wireless-powered node system. By 0.85 considering energy harvesting-assisted node can simulta- 0.8 neously receive information and energy from the source

SPSC 0.75 through power splitting protocol, the probability of ρ =0.3, 0.5, 0.7 strictly secrecy capacity has been studied. Exact expres- 0.7 sion of probability of strictly positive secrecy capacity 0.65 have been derived. Numerical results show that under the 0.6 condition that the energy harvesting together to become

0.55 the exact probability of strictly positive secrecy capacity. −10 −8 −6 −4 −2 0 2 4 6 8 10 α(dB) References Figure 3: SPSC versus α as considering impact of power splitting fractions [1] S. Bi, C. K. Ho, and R. Zahang, ”Wireless pow- ered communication: Opportunities and challenges,” IEEE Communications Magazine, vol. 53, no. 4, pp. 117-125, 2015. harvesting -assisted node. In Figure 2, we present an- [2] J. S. Chen, C. Y. Yang and M. S. Hwang, ”The ca- alytical and simulation results for SPSC vs. α. It can pacity analysis in the secure cooperative communica- be seen that analytical results are obtained to meet with tion system,” International Journal of Network Se- line for Monte Carlo simulation. One can see that simula- curity, vol. 19, no. 6, pp. 863-869, 2017. tion results are approximate same with analytical results, [3] T. Chen, H. Q. Yuan, T. Z. Zhao, et al., ”Joint beam- which validates the accuracy of the analytical expression forming and powerallocation for secure communica- derived. tion in cognitive radio networks,” IET Communica- Figure 3 examines impact of power splitting fraction tions, vol. 10, no. 10, pp. 1156-1162, 2016. on SPSC performance. It can be shown that SPSC with [4] D. T. Do, ”Optimal throughput under time power a higher ρ is outperformed by that with a lower ρ. The switching based relaying protocol in energy harvest- main reason is that a higher ρ leads to a lower portion ing cooperative network,” Wireless Personal Com- of the received power is separated ratio for information munications, vol. 87, no. 2, pp. 551-564, 2016. decoding and more power is harvested. As a result, a low [5] D. T. Do, ”Energy-aware two-way relaying networks received SINR is resulted at D, which leads to a lower under imperfect hardware: Optimal throughput de- capacity at D. sign and analysis,” Telecommunication Systems, vol. Similarly, Figure 4 shows SPSC performance versus 62, no. 2, pp. 449-459, 2015. power splitting coefficients. When increasing ρ leads to [6] D. T. Do, H. S. Nguyen, ”A tractable ap- reducing power for information processing and result in proach to analyze the energy-aware two-way re- lower SPSC performance. As a result, the careful calcula- laying networks in presence of co-channel interfer- tion of ρ need be required for high secure D2D networks. ence,” EURASIP Journal on Wireless Communica- International Journal of Network Security, Vol.21, No.1, PP.17-21, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).03) 21

tions and Networking, 2016. (https://doi.org/10. [15] Y. Zou, J. Zhu, X. Wang, et al., ”A survey on wireless 1186/s13638-016-0777-z) security: Technical challenges, recent advances and [7] D. T. Do, ”Power switching protocol for two-way re- future trends,” Proceedings of the IEEE, vol. 104, no. laying network under hardware impairments,” Ra- 9, pp. 1727-1765, Sep. 2016. dioengineering, vol. 24 , no. 3, pp. 765-771, 2015. [16] M. Zulhasnine, C. Huang, and A. Srinivasan, ”Ef- [8] L. Goratti, et al. ”Connectivity and security ficient resource allocation for device-to-device com- in a D2D communication protocol for pub- munication underlaying LTE network,” in Proceeding lic safety applications,” in Proceeding of 2014 IEEE 6th International Conference Wirless Mobile 11th International Symposium on Wireless Com- Computing, Oct. 2010, pp. 368–375. munications Systems (ISWCS’14), 2014. DOI: [17] Y. Zou, J. Zhu, L. Yang, et al., ”Securing physical- 10.1109/ISWCS.2014.6933414. layer communications for cognitive radio networks,” [9] Y. Pei, Y.-C. Liang, L. Zhang, et al., ”Secure commu- IEEE Communications Magazine, vol. 53, no. 9, pp. nication over MISO cognitive radio channels,” IEEE 48-54, Sep. 2015. Transactions on Wireless Communications, vol. 9, [18] Y. Zou, X. Li, and Y. C. Liang, ”Secrecy outage and no. 4, pp. 1494-1502, Apr. 2010. diversity analysis of cognitive radio systems,” IEEE [10] M. Wang, and Z. Yan, ”Security in D2D com- Journal on Selected Areas in Communications, vol. munications: A review,” 2015 IEEE Trust- 32, no. 11, pp. 2222-2236, Nov. 2014. com/BigDataSE/ISPA, vol. 1, 2015. [11] X. Xiao, X. Tao, and J. Lu, ”A Qos-aware power optimization scheme in OFDMA systems with inte- Biography grated device-to-device (D2D) communications,” in Proceeding IEEE Vehicle Technology Conference, pp. Dinh-Thuan Do received the B. S. degree, M. Eng. de- 1–5, Sep. 2011. gree, and Ph.D. degree from Vietnam National Univer- [12] Q. Ye, M. Al-Shalash, C. Caramanis, and J. sity (VNUHCMC) in 2003, 2007, and 2013 respectively, G. Andrews, ”Resource optimization in device-to- all in Communications Engineering. He was a visiting device cellular systems using time-frequency hop- Ph. D. student with Communications Engineering Insti- ping,” IEEE Translation Wireless Communications, tute, National Tsing Hua University, Taiwan from 2009 to vol. 13, no. 10, pp. 5467–5480, Oct. 2014. 2010. Prior to joining Ton Duc Thang University, he was [13] C. H. Yu, K. Doppler, C. B. Ribeiro, and O. Tirkkon- senior engineer at the VinaPhone Mobile Network from nen, ”Resource sharing optimization for device- 2003 to 2009. He was the recipient of the 2015 Golden to-device communication underlaying cellular net- Globe Award by Ministry of Science and Technology. He works,” IEEE Translation Wireless Communica- is currently Assistant Professor at the Wireless Commu- tions, vol. 10, no. 8, pp. 2752–2763, Aug. 2011. nications & Signal Processing Lab (WICOM LAB). His [14] J. Zhang, G. Pan, and H-M Wang, ”On physical- publication includes 21+ SCI/SCIE journals. His research layer security in underlay cognitive radio networks interest includes signal processing in wireless communica- with full-duplex wireless-powered secondary sys- tions network, mmWave, device-to-device networks, co- tem,” IEEE Access, vol. 4, pp. 3887–3893, 2016. operative communications, full-duplex transmission and energy harvesting. International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 22

An Image Encryption Scheme Based on The Three-dimensional Chaotic Logistic Map

Chunhu Li, Guangchun Luo, and Chunbao Li (Corresponding author: Chunhu Li)

School of Computer Science and Engineering, University of Electronic Science and Technology of China Chengdu, Sichuan 610054, China (Email: [email protected]) (Received June 1, 2017; revised and accepted Sept. 12, 2017)

Abstract differential equations. The complex behavior of chaotic systems in nonlinear deterministic was described. The Image encryption has been a popular research field in implementation of chaotic maps in the development of recent decades. This paper presents a novel image en- cryptography systems lies in the fact that a chaotic map cryption scheme, which is based on the three-dimensional is characterized by: chaotic logistic map. Firstly, the three-dimensional chaotic logistic map is modified to generate key stream. 1) The initial conditions and control parameters with Secondly, the chaos-based key stream is generated by a high sensitivity; three-dimensional chaotic logistic map, which has a bet- 2) Unpredictability of the orbital evolution; ter performance in terms of randomness properties and security level. The design of the proposed scheme is ef- 3) The simplicity of the hardware and software imple- ficient. It provides the necessary properties for a secure mentation leads to a high encryption rate [24]. image encryption scheme including the confusion and dif- These characteristics can be connected with some very fusion properties. We use well-known ways to perform important cryptographic properties such as confusion and the security and performance analysis of the proposed im- diffusion, balance and avalanche properties [14, 37]. age encryption scheme. Simulation results show that the Over the past two decades, the image encryption based suggested scheme satisfies the required performance tests on Chaos theory has become a hot research topic. The such as large key space, high level security, and accept- classic encryption architecture based on chaotic map able encryption speed. The fail-safe analysis is inspiring has been investigated. Researchers have proposed many and it can be concluded that the proposed scheme is effi- chaos-based digital image encryption schemes [3, 6, 8, 12, cient and secure. These characteristics make it a suitable 17, 20–22, 30, 31, 33, 36, 38, 39, 41, 45, 46], which utilize candidate for using in cryptographic applications. chaotic maps. For designing a real-time secure symmet- Keywords: Cryptography; Three-dimensional Chaotic Lo- ric encryption scheme, Chen and his research group pro- gistic Map; Image Encryption moted the 2D chaotic cat map to 3D [19]. Mao and his research group proposed a new fast image encryption scheme based on 3D chaotic baker maps [44]. Kanso et 1 Introduction al. suggested a novel image encryption algorithm, which based on a 3D chaotic map [26]. Ruisong Ye and his Recently, with the rapid development of network tech- research group designed a chaos-based image encryption nology and their increasing popularity, the roles of im- scheme using 3D skew tent map and coupled map lat- ages in the exchange of information among people be- tice [35]. Haroun’s Real-time image encryption using come more frequent, image data protection has become a low-complexity discrete 3D dual chaotic cipher [29]. more and more important. To meet the needs of the Akhavan and his partner proposed a novel parallel hash image authentication, image encryption algorithms were function based on 3D chaotic map [4]. Guodong Ye’s proposed [11, 23, 25, 27, 42]. In 1970s, Chaos theory was symmetric image encryption scheme using 3D chaotic cat proposed, which was used in a number of research ar- maps [19]. eas, such as mathematics, engineering, physics, biology, The famous logistic map (xn+1 = αxn(1 − xn)) was and so on [15]. The first description of a chaotic process popularized by May in 1976, the system exhibits chaotic was made in 1963 by Lorenz [28], who developed a sys- behaviors for most values of the growth coefficient α be- tem called the Lorenz attractor that coupled nonlinear tween 3.57 and 4 [34]. The simple one-dimensional logistic International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 23 map has a chaotic behavior, and has been used to en- crypt information for further transmission [5]. In this pa- per, we deeply analyze logistic map and three-dimensional chaotic logistic map. Based on three-dimensional chaotic logistic map and the properties of chaotic system, we propose a novel image encryption scheme. Using the three-dimensional chaotic logistic map, we can generate sequences that have very high randomness and complex- ity. The parameters and the initial variable of the three- dimensional chaotic logistic map in this algorithm can be modified during the encryption and decryption. The ini- tial sensitivity performance of this map is the guarantee of the secure image encryption algorithm. When the small Figure 1: The image of the three-dimensional chaotic lo- changes in control parameters and initial condition exist, gistic map the generated sequences change very large. The organization of this paper is as follows: Section 2 introduces the three-dimensional chaotic logistic map and in the Section 4 and Section 5. The following is the pro- its properties. In Section 3, the details of our algorithm posed algorithms and analysis of the main processes of (include encryption and decryption) are proposed. The encryption and decryption. experimental are introduced in Section 4. The details of the security discussion are shown in Section 5. Finally, the conclusions are drawn in Section 6. 3.1 The Image Encryption Algorithm In this section, we use the three-dimensional chaotic lo- 2 The Three-dimensional Chaotic gistic map Equation (2), Equation (3) and Equation (4) to implement encryption process. The flowchart of the Logistic Map encryption algorithm is shown in Figure 2. This paper In the introduction section, we introduced the prototype proposes an image encryption algorithm includes the fol- of the logistic map in Equation (1) [10]. lowing main steps:

1) Reading plain-image (original-image) (Pa×b×c), get xn+1 = αxn(1 − xn). (1) size of P , e.g. using [a, b, c] save size of P , let N = a∗b, get R-plain-image PR , save to PR , get For 0 < xn < 1 and α = 4 the equation exhibit the chaotic a×b×1 (N) behavior. The logistic map is simplest chaos function. G-plain-image PGa×b×2, save to PG(N), get B-plain- A real example of the three-dimensional chaotic logistic image PBa×b×3, save to PB(N), let x(0) = 0.100001, map is: y(0) = 0.100001 and z(0) = 0.100001;

2 3 2) Input the secret (encryption) key α β γ into the xi+1 = αxi(1 − xi) + βyi xi + γzi (2) three-dimensional chaotic logistic map equation. It- 2 3 yi+1 = αyi(1 − yi) + βzi yi + γxi (3) erate the three-dimensional chaotic logistic map N 2 3 times using system Equation (2), Equation (3) and zi+1 = αzi(1 − zi) + βxi zi + γyi . (4) Equation (4), obtain an array X(N), Y(N) and Z(N); Where α β γ are parameters, and for 3.68 < α < 3.99, 0 < β < 0.022, 0 < γ < 0.015, this system has a chaotic 3) Diffusion: CDR(N) = X(N) ∗ PR(N), CDG(N) = attractor, and can take the value between [0, 1]. Y(N) ∗ PG(N), CDB(N) = Z(N) ∗ PB(N); Using MATLAB in the experiments, the equation pa- rameters α, β and γ were selected as α = 3.89, β = 0.01 4) Confusion: Change X(N), Y(N) and Z(N) into [0, 255], and γ = 0.01, in this case the system has a chaotic behav- get SX(N), SY(N) and SZ(N), we can get CCR(N) = ior. The Figure 1 shows the distribution of 65536 points. SX(N) ⊕ CDR(N), CCG(N) = SY(N) ⊕ CDG(N), CCB(N) = SZ(N) ⊕ CDB(N);

3 Proposed Algorithm 5) Change CCR(N), CCG(N) and CCB(N) into Ca×b×c, which is encrypt each element of matrix (Pa×b×c) us- In this proposed algorithm, We give the detail of the im- ing the key array X(N), Y(N) and Z(N), namely, mix age encryption and decryption algorithm. We encrypt the confusion of the original image (Pa×b×c)(X(N), the images of different sizes. We also analyze the effect Y(N) and Z(N)) components with the diffusion of the of encryption. After encryption we get the differences be- original image (Pa×b×c)(X(N), Y(N) and Z(N)), get tween the decrypted image and the original image. The the resulting image is the ciphered image Ca×b×c. detailed analysis of these algorithms are mainly recorded International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 24

Figure 2: The flowchart of the encryption algorithm Figure 3: The flowchart of the decryption algorithm

3.2 The Image Decryption Algorithm 5) Change PR(N), PG(N) and PB(N) into Pa×b×c, de- crypt each element of matrix (Ca×b×c) using the key In this section, we use the three-dimensional chaotic lo- array X(N), Y(N) and Z(N), namely, get the resulting gistic map Equation (2), Equation (3)and Equation (4) image is the original image Pa×b×c. to implement decryption process. The flowchart of the decryption algorithm is shown in Figure 3. This paper proposes an image decryption algorithm includes the fol- lowing main steps: 4 Experimental Results

1) Reading ciphered-image (encrypted-image) The efficiency of the proposed image encryption algorithm (Ca×b×c), get size of C, e.g. using [a, b, c] save is shown in the following experimental results. The stan- size of C, let N = a ∗ b, get R-ciphered-image dard gray scale image peppers (Figure 4(a)) with the size CRa×b×1, save to CCR(N), get G-ciphered-image 256 × 256 pixels is used for this experiment. CGa×b×2, save to CCG(N), get B-ciphered-image The results of the encryption are presented in Fig- CBa×b×3, save to CCB(N), let x(0) = 0.100001, ure 4(b). As can be seen from the encrypted image Fig- y(0) = 0.100001 and z(0) = 0.100001, here x(0), ure 4(b), there are no patterns or shadows visible in the y(0) and z(0) must be same as encryption process; corresponding cipher image. The result of the decryp- tion is presented in Figure 4(c). As can be seen from the 2) Input the secret (encryption) key α β γ into the decrypted image Figure 4(c), it is not different from the three-dimensional chaotic logistic map equation. It- original image. erate the three-dimensional chaotic logistic map N The color image peppers with the size 512 × 512 × 3 times using system Equation (2), Equation (3) and pixels is used for this experiment. The Figure 5(a) is the Equation (4), obtain an array X(N), Y(N) and Z(N); color image of peppers, Figure 5(b) is the encrypted color image of peppers, and Figure 5(c) shows the decrypted 3) Inverse confusion: Change X(N), Y(N) and Z(N) into color image of peppers from Figure 5(b). [0, 255], get SX(N), SY(N) and SZ(N), we can get We also do many experiments using different size of CDR(N) = SX(N) ⊕ CCR(N), CDG(N) = SY(N) ⊕ color images, 1024 × 1024 × 3 pixels and 2048 × 2048 × 3 CCG(N), CDB(N) = SZ(N) ⊕ CCB(N); pixels in Figure 6, the speed of those images is shown in Table 2. −1 4) Inverse diffusion: PR(N) = CDR(N) ∗ X(N), The result of the decryption using wrong key is pre- −1 −1 PG(N) = CDG(N) ∗ Y(N), PB(N) = CDB(N) ∗ Z(N); sented in Figure 4(f). As can be seen from the Figure 4(f), International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 25

there are no patterns or shadows visible in the correspond- ing ciphered image.

(a) (b) (c) 5 Security Analysis

Security is a major issue of a cryptosystem. When a new cryptosystem is proposed, it should always be accompa- nied by some security analyses. A good encryption proce- (d) (e) 600 (f) dure should be robust against all kinds of cryptanalytic, 600 statistical and brute-force attacks. Here, some security 400 400 analyses have been performed on the proposed scheme like 200 200 key space analysis, distribution of the cipher-text, correla- 0 0 tion analysis of two adjacent pixels, information entropy, 0 100 200 0 100 200 plain-text sensitivity analysis, etc. The security analysis demonstrates a high security level of the new scheme. Figure 4: (a) The original image; (b) The encrypted im- age; (c) The decrypted image; (d) The histogram of orig- 5.1 Key Space inal image; (e) The histogram of ciphered image; (f) The decrypted image with wrong key. For every cryptosystem, the key space is very important. The key space of an encryption algorithm should be large enough to resist brute-force attacks. In our proposed scheme, the key space of the image decryption is com- puted by:

T (α, β, γ, x0, y0, z0) = θ(α × β × γ × x0 × y0 × z0) (a) (b) (c) where 3.68 < α < 3.99, 0 < β < 0.022, 0 < γ < 0.015, x0 ∈ [0, 1], y0 ∈ [0, 1], z0 ∈ [0, 1], the each precision of −16 α, β, γ, x0, y0, z0 is 10 , namely, the size of key space is 1095 (((1016)6 ∗ 10−1 ∗ 10−2) ∗ 10−2). This key space is big enough for brute-force attacks [32,40]. In this scheme, we take the key to the original as follows: x0 = 0.100001, Figure 5: (a) The original image; (b) The encrypted im- y0 = 0.100001, z0 = 0.100001, α = 3.8900000001, β = age; (c) The decrypted image. 0.01, γ = 0.01. When taking the wrong key: the difference between wrong and right key is 10−16. For example, using α = 3.8900000001000001 as the wrong key to decrypt the encryption image, we get a wrong decrypted image shown in Figure 4(f).

5.2 Distribution of The Ciphertext An image histogram displays that how pixels in an image are distributed by plotting the number of pixels. Here we take a peppers image (its size is 256 × 256) as the original image. Histogram of the original peppers image and the corresponding ciphered peppers image are shown in Figure 4(d) and 4(e). As is shown, the histograms of the ciphered image is uniform and do not provide any clues to the use of any statistical analysis attack on the encrypted image [7] .

5.3 Correlation Analysis of Two Adja- cent Pixels Figure 6: The encrypted-decrypted images. The superior confusion and diffusion properties are shown in the correlations of adjacent pixels from the ciphered image [43]. We analyze the correlation between adjacent International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 26

Table 1: Correlation coefficient of two adjacent pixels in 300 simulated original and ciphered image 250 Direction Original image Ciphered image Horizontal 0.9158 0.0036 200 Vertical 0.9085 0.0073 150 Diagonal 0.8791 0.0059

100

50

250 Pixel gray value on location (x+1,y+1)

0 0 50 100 150 200 250 300 200 Pixel gray value on location (x,y)

150 Figure 8: Correlation analysis of encrypted image

100 for an encrypted image should be 8. The calculation of 50 entropy for the ciphered image (Figure 4(b)) is presented

Pixel gray value on location (x+1,y+1) below:

0 0 50 100 150 200 250 255 Pixel gray value on location (x,y) X 1 H(s) = P (s ) log = 7.9981632. i 2 P (s ) i=0 i Figure 7: Correlation analysis of original image The result shows that the entropy of the encrypted image is very close to the ideal entropy value, higher than most of other existing algorithms. This indicates that the rate pixels in original and ciphered peppers image. We calcu- late the correlation coefficient in the horizontal, vertical of information leakage from the proposed image encryp- and diagonally, the following relation is used [1]: tion algorithm is close to zero. PN PN PN (N j=1 xj yj − j=1 xj j=1 yj ) Cr = 5.5 Plain-text Sensitivity Analysis (Dif- (N PN (x )2 − (PN x )2)(N PN (y )2 − (PN y )2) j=1 j j=1 j j=1 j j=1 j ferential Attacks) where xj and yj are the values of the adjacent pixels in the image and N is the total number of pixels selected Attackers often make a slight change for the original im- from the image for the calculation. We choose randomly age, use the proposed scheme to encrypt the original im- 3000 image pixels from the original image and the ci- age before and after changing, and through comparing phered image respectively to calculate the correlation co- two encrypted images to find out the relationship between efficients of the adjacent pixels in horizontal, vertical and the original image and the encrypted image. This kind of diagonally direction. It demonstrates that the encryption attack is called differential attack [43]. In order to re- algorithm covers up all the characters of the original im- sist differential attack, a minor alternation in the plain- age showing a good performance of balanced 0 1 ratio. image should cause a substantial change in the ciphered The correlation of the original image and the encrypted image. To test the influence of one-pixel change on the image are shown in Figures 7 and 8. whole image encrypted by the proposed algorithm, two common measures were used: NPCR and UACI [16]. NPCR represents the change rate of the ciphered im- 5.4 Information Entropy age provided that only one pixel of plain-image changed. Information theory is a mathematical theory founded in UACI which is the unified average changing intensity, 1949 by Shannon [13]. Modern information theory is con- measures the average intensity of the differences between cerned on data compression, error-correction, communi- the plain-image and ciphered image. For calculation of cations systems, cryptography, and related topics. There NPCR and UACI, let us assume two ciphered images is a universal formula for calculating information entropy: C1 and C2 whose corresponding plain images have only one-pixel difference. Label the gray-scale values of the 2N −1 X 1 pixels at grid (i, j) of C1 and C2 by C1(i, j) and C2(i, j), H(s) = P (s ) log i 2 P (s ) respectively. Define a bipolar array, D, with the same i=0 i size as image C1 or C2. Then, D(i, j) is determined by where P (si) represents the probability of symbol si and C1(i, j) and C2(i, j), namely, if C1(i, j) = C2(i, j) then the entropy is expressed in bits. The ideal entropy value D(i, j) = 0; otherwise, D(i, j) = 1. NPCR and UACI International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 27 are defined by the following formulas [9]: 6 Conclusion P i,j D(i, j) In this paper we concentrate on the field of image en- NPCR = × 100% W × H cryption. The encryption and decryption schemes are   given. In this algorithm, the three-dimensional chaotic lo- 1 X |Ci(i, j) − C2(i, j)| UACI = × 100% gistic map is used to generate pseudo-random sequences, W × H  255  i,j which are independent and approximately uniform. Af- ter a series of transformations, the sequences constitute where W and H are the width and height of C1 or C2. a new pseudo-random sequence uniformly distributing in Tests have been performed on the proposed scheme by the value space, which covers the plain-text by execut- considering the one-pixel change influence on a 256-gray ing Exclusive-OR and shifting operations some rounds to scale image of size 256 × 256. Also in order to clarify the form the cipher. Experiments and a safety analysis are effect of small change in the secret key such as initial con- carried out. We analyze the performance, security and the dition (x0 = 0.100001 to x0 = 0.1000010000000001, y0 = resistance to difference and linear attack of this crypto- 0.100001 to y0 = 0.1000010000000001, z0 = 0.100001 to graphic system by a simulation. Simulation results show z0 = 0.1000010000000001) NPCR is calculated. We ob- that the algorithm is efficient and usable for the security tained NPCR = 0.00385 (1 − NPCR = 0.99615) and of the image encryption system. UACI = 0.361. The percentage of pixel changed in en- crypted image is over 99% even with one-bit difference in plain-image. UACI is near to 1/3 as security required [2]. Acknowledgment Moreover, in order to analyze the effect of the control parameter µ in the cipher image, the NPCR test is con- This work is supported by the foundation of sci- ducted on the algorithm over this parameter. The process ence and technology department of Sichuan province of the analysis is almost the same as the one for a single NO.2016GZ0077 and NO.2017JY0007. The authors bit change in the plain-text, but this time we keep plain- gratefully acknowledge the anonymous reviewers for their image as original, and analyze the number of bit changes valuable comments. between two different cipher texts achieved from encryp- tion with two different parameters with very small change (α = 3.8900000001 versus α = 3.8900000001000001). The References calculated value of NPCR for the proposed algorithm is [1] A. Afshin, M. Hadi, and A. Amir, “A novel block 0.003238 which is very close to the ideal value. Also, com- cipher based on hierarchy of one-dimensional com- pared with other chaos based algorithms such as NPCR position chaotic maps,” in IEEE International Con- and UACI of the proposed algorithm has a good ability ference on Image Processing, pp. 1993–1996, 2006. to anti differential attack [18]. [2] A. Akhavan, A. Samsudin, and A. Akhshani, “A symmetric image encryption scheme based on com- Table 2: Average ciphering time taking of a few different bination of nonlinear chaotic maps,” Journal of the size images Franklin Institute, vol. 348, no. 8, pp. 1797–1813, 2011. Images size(pixels) Bits/pixels Ciphered time(s) [3] A. Akif, C. Haris, K. Ismail, P. Ihsan, and I. Ay- 256 × 256 × 3 24 1.27-1.32 han, “Chaos-based engineering applications with a 512 × 512 × 3 24 5.07-5.21 3d chaotic system without equilibrium points,” Non- 1024 × 1024 × 3 24 20.56-21.63 linear Dynamics, vol. 84, no. 2, pp. 481–495, 2015. 2048 × 2048 × 3 24 67.81-69.35 [4] A. Amir, S. Azman, and A. Afshin, “A novel parallel hash function based on 3d chaotic map,” EURASIP Journal on Advances in Signal Processing, vol. 2013, no. 1, pp. 126–126, 2013. 5.6 Analysis of Speed [5] M. S. Baptista, “Cryptography with chaos,” Physics Letters A, vol. 240, no. 1–2, pp. 50–54, 1998. Apart from the security consideration, running speed [6] S. Behnia, A. Akhavan, A. Akhshani, and A. Sam- of the algorithm is also an important aspect for a sudin, “Image encryption based on the jacobian ellip- good encryption algorithm. We measure the encryp- tic maps,” Journal of Systems and Software, vol. 86, tion/decryption rate of several color images of different- no. 9, pp. 2429–2438, 2013. size by using the proposed image encryption scheme. [7] S. Behnia, A. Akhshani, S. Ahadpour, H. Mahmodi, The time analysis is done on a core 2 duo 2.26Gz and A. Akhavan, “A fast chaotic encryption scheme CPU with 4GB RAM notebook running on Debian 8.0 based on piecewise nonlinear chaotic maps,” Physics and using Matlab 2014b glnxa64. The average encryp- Letters A, vol. 366, no. 4, pp. 391–396, 2007. tion/decryption time taken by the algorithm for different- [8] S. Bouchkaren and S. Lazaar, “A new iterative secret sized images is shown in the Table 2. key cryptosystem based on reversible and irreversible International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 28

cellular automata,” International Journal of Network [25] B. Jana, “Dual image based reversible data hiding Security, vol. 18, no. 2, pp. 345–353, 2016. scheme using weighted matrix,” International Jour- [9] S. Bruce and S. Phil, Applied Cryptography: Proto- nal of Electronics and Information Engineering, vol. cols, Algorithms, and Source Code in C, Wiley, 1995. 5, no. 1, pp. 6–19, 2016. [10] S. H. Carl, Chaos in Dynamical Systems, Springer [26] A. Kanso and M. Ghebleh, “A novel image encryp- International Publishing, 2017. tion algorithm based on a 3d chaotic map,” Commu- [11] C. C. Chang, K. F. Hwang, M. S. Hwang, “A digital nications in Nonlinear Science & Numerical Simula- watermarking scheme using human visual effects”, tion, vol. 17, no. 7, pp. 2943–2959, 2012. Informatics, vol. 24, no. 4, pp. 505–511, Dec. 2000. [27] L. Liu, Z. Cao, “Analysis of two confidentiality- [12] L. Chunhu, L. Guangchun, Q. Ke, and L. Chunbao, preserving image search schemes based on additive “An image encryption scheme based on chaotic tent homomorphic encryption,” International Journal of map,” Nonlinear Dynamics, vol. 87, no. 1, pp. 127– Electronics and Information Engineering, vol. 5, no. 133, 2017. 1, pp. 1–5, 2016. [13] S. Claude, “Communication theory of secrecy sys- [28] E. N. Lorenz, “Deterministic nonperiodic flow,” tems*,” Bell system technical journal, vol. 28, no. 4, Journal of the Atmospheric Sciences, vol. 20, no. 2, pp. 656–715, 1949. pp. 130–141, 1963. [14] S. J. Clinton, Chaos and Time-Series Analysis, Ox- [29] F. H. Mohamed and T. A. Gulliver, “Real-time image ford University Press, vol. 1, 2003. encryption using a low-complexity discrete 3d dual [15] F. Dachselt and W. Schwarz, “Chaos and cryptogra- chaotic cipher,” Nonlinear Dynamics, vol. 82, no. 3, phy,” IEEE Transactions on Circuits and Systems pp. 1–13, 2015. I Fundamental Theory and Applications, vol. 48, [30] M. A. Murillo-Escobar, C. Cruz-Hernndez, no. 12, pp. 1498–1509, 2002. F. Abundiz-Prez, and O. R. A. Campo, “A [16] D. N. Delia, “Book review: Elementary statistics: A rgb image encryption algorithm based on total plain step by step approach, 9thed,” Teaching Sociology, image characteristics and chaos,” Signal Processing, vol. 44, 2016. vol. 109, pp. 119–131, 2015. [17] A. A. A. El-Latif, L. Li, W. Ning, H. Qi, and N. Xi- [31] M. Naoki and A. Kazuyuki, “Cryptosystems with amu, “A new approach to chaotic image encryption discretized chaotic maps,” IEEE Transactions on based on quantum chaotic system, exploiting color Circuits and Systems I: Fundamental Theory and spaces,” Signal Processing, vol. 93, no. 11, pp. 2986– Applications, vol. 49, no. 1, pp. 28–40, 2002. 3000, 2013. [32] S. Nigel et al., “Ecrypt ii yearly report on algorithms [18] A. A. A. El-Latif, L. Li, and N. Xiamu, “A new image and keysizes,” Framework, pp. 116–116, 2010. encryption scheme based on cyclic elliptic curve and [33] P. Praveenkumar, K. Thenmozhi, J. B. B. Rayap- chaotic system,” Multimedia Tools and Applications, pan, and R. Amirtharajan, “Mojette (d) secret im- vol. 70, no. 3, pp. 1559–1584, 2014. age sedih in an encrypted double image - a histo ap- [19] C. Guanrong, M. Yaobin, and C. Charles, “A sym- proach,” International Journal of Network Security, metric image encryption scheme based on 3d chaotic 2016. cat maps,” Chaos, Solitons & Fractals, vol. 21, no. 3, [34] M. May Robert, “Simple mathematical models pp. 749–761, 2004. with very complicated dynamics,” Nature, vol. 261, [20] Z. Guomin, Z. Daxing, L. Yanjian, Y. Ying, and L. no. 5560, pp. 459–467, 1976. Qiang, “A novel image encryption algorithm based [35] Y. Ruisong and Z. Wei, “A chaos-based image en- on chaos and line map,” Neurocomputing, vol. 169, cryption scheme using 3d skew tent map and cou- pp. 150–157, 2015. pled map lattice,” International Journal of Com- [21] Z. Hegui, Z. Xiangde, Y. Hai, Z. Cheng, and Z. Zhil- puter Network & Information Security, vol. 4, no. 1, iang, “An image encryption algorithm based on com- pp. 25–28, 2012. pound homogeneous hyper-chaotic system,” Nonlin- [36] K. Sarah, H. Hamid, D. Sad, and B. Mamar, “A ear Dynamics, pp. 1–19, 2017. novel secure image transmission scheme based on [22] L. L. Hua and C. Z. Jun, “Analysis of two synchronization of fractional-order discrete-time hy- confidentiality-preserving image search schemes perchaotic systems,” Nonlinear Dynamics, vol. 1, based on additive homomorphic encryption,” Inter- no. 1, pp. 1–17, 2017. national Journal of Electronics & Information Engi- [37] B. Schneier, “Applied cryptography: Protocols, algo- neering, vol. 5, 2016. rithms, and source code in C,” John Wiley & Sons, [23] L. C. Huang, L. Y. Tseng, M. S. Hwang, “A re- Inc, New York, vol. 1, no. 1, pp. 53–54, 1996. versible data hiding method by histogram shifting [38] L. Shiguo, “A block cipher based on chaotic neu- in high quality medical images”, Journal of Systems ral networks,” Neurocomputing, vol. 72, no. 4–6, and Software, vol. 86, no. 3, pp. 716–727, Mar. 2013. pp. 1296–1301, 2009. [24] G. James, “Chaos: Making a new science,” The [39] S. Sowmya and S. V. Sathyanarayana, “Symmetric Quarterly Review of Biology, vol. 56, no. 1, pp. 1053– key image encryption scheme with key sequences de- 1054, 1989. rived from random sequence of cyclic elliptic curve International Journal of Network Security, Vol.21, No.1, PP.22-29, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).04) 29

points over gf(p),” International Journal of Network [46] W. X. Yuan and Z. J. Feng, “Cryptanalysis on a Security, vol. 12, no. 3, pp. 137–150, 2011. parallel keyed hash function based on chaotic neu- [40] P. Vinod, N. K. Pareek, G. Purohit, and K. K. ral network,” Neurocomputing, vol. 73, no. 16–18, Sud, “A robust and secure chaotic standard pp. 3224–3228, 2010. map based pseudorandom permutation-substitution scheme for image encryption,” Optics Communica- tions, vol. 284, no. 19, pp. 4331–4339, 2011. Biography [41] Z. Wei, W. Kwok-wo, Y. Hai, and Z. Zhi-liang, “An image encryption scheme using reverse 2-dimensional Chunhu Li received his B.S. (2008) in computer science chaotic map and dependent diffusion,” Communica- from Qingdao Agricultural University and M.S. (2011) in tions in Nonlinear Science & Numerical Simulation, computer science from University of Electronic Science vol. 18, no. 8, pp. 2066–2080, 2013. and Technology of China (UESTC), China. He is cur- [42] C. C. Wu, S. J. Kao, and M. S. Hwang, “A high rently a Ph.D. candidate at UESTC. His research interests quality image sharing with steganography and adap- include cloud computing, network security, image encryp- tive authentication scheme”, Journal of Systems and tion and artificial intelligence. Software, vol. 84, no. 12, pp. 2196–2207, 2011. Guangchun Luo received his Ph.D. degree in computer [43] W. Xiaopeng, G. Ling, Z. Qiang, Z. Jianxin, and L. science from UESTC in 2004. He is currently a professor Shiguo, “A novel color image encryption algorithm of computer science at UESTC. His research interests in- based on dna sequence operation and hyper-chaotic clude computer networks, mobile networks and network system,” Journal of Systems and Software, vol. 85, security. no. 2, pp. 290–299, 2012. [44] M. Yaobin, C. Guanrong, and L. Shiguo, “A novel Chunbao Li received his B.S. (2011) in computer science fast image encryption scheme based on 3d chaotic from China West Normal University and M.S. (2014) in baker maps,” International Journal of Bifurcation computer science from University of Electronic Science and Chaos, vol. 14, no. 10, pp. 3613–3624, 2004. and Technology of China (UESTC), China. He is cur- [45] Z. Yicong, B. Long, and C. L. P. Chen, “A new 1d rently a Ph.D. candidate at UESTC. His research inter- chaotic system for image encryption,” Signal Pro- ests include artificial intelligence, machine learning. cessing, vol. 97, no. 7, pp. 172–182, 2012. International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 30

Granger Causality in TCP Flooding Attack

Rup Kumar Deka1, Dhruba Kumar Bhattacharyya1, and Jugal Kumar Kalita2 (Corresponding author: Rup Kumar Deka) Department of Computer Science and Engineering, School of Engineering, Tezpur University Napaam, Tezpur, Assam, 784028, India1 (Email: [email protected]) Department of Computer Science, College of Engineering and Applied Science, University of Colorado 1420 Austin Bluffs Parkway, Colorado Springs, CO 80933-7150, United States2 (Received Oct. 18, 2017; revised and accepted March 27, 2018)

Abstract

Malicious software events are usually stealthy and thus challenging to detect. A triggering relation can be as- sumed to be causal and to create a temporal relation- ship between the events. For example, in a spoofed TCP DDoS flooding attack, the attacker manipulates a three- way handshake procedure. During this attack, the num- ber of spoofed IP addresses and the number of open ports used by the attacker follow a causal relationship. This pa- per demonstrates the effectiveness of Granger Causality in confirming TCP flooding attacks. We focus on discov- ering the presence of TCP-SYN flooding DDoS activity Figure 1: Recent DDoS attack statistics in network traffic by analyzing causal information in near real time. addition, with the evolution of botnet technology, it has Keywords: DDoS; Granger Causality; TCP Flooding become even more difficult to provide real time defense. To investigate into causal or correlational behavior in 1 Introduction the network traffic during a SYN flood attack, we have to analyze the traffic if the intrusion detection systems Most DNS reflection attacks are currently caused by (IDS) system generates any alarm about an abnormal spoofing the source IP address to flood the Internet. SYN situation. It is often a challenge to effectively deal with floods, for example, are spoofed TCP floods, in which the the large number of alerts generated by intrusion detec- source of the IP packets appears to be different from their tion systems. Alert correlation is necessary to discover actual origin. Figure 1 shows that SYN and TCP attacks true anomalous behaviors. Generally, IDSs aim to un- are predominant according to the Kaspersky DDoS Intel- earth anomalies [11, 14, 30, 37]. They raise alerts for any ligence Report for the first quarter 2016 [25]. If the servers anomaly they find, when they find it, and do so indepen- are compromised, they too can send spoofed packets to dently of all other anomalies they may find. However, create a large attack. In the third quarter of 2016, there going beyond individual alerts, it may be possible to find was a huge intensity TCP-SYN flood attack of approxi- logical evidence of connections among them. Sometime, mately 60 giga bytes per second and 150 million packets attacks may be intensive with a large number of gener- per second, as rated by Verisign [43]. It was bigger than ated alerts. Actual alerts can also be mixed with false the previous biggest at 125 million packets per second alerts. The sheer volume of alerts is likely to become un- during the fourth quarter of 2015. manageable. As a result, it becomes difficult to evaluate In the recent past, a good number of efforts to provide alerts properly and quickly to take appropriate actions, real time detection or mitigation of DDoS attacks with and hence to respond properly. adequate accuracy have been proposed [2, 7, 8, 10, 18, 39]. However, a report of the United States Computer Emer- 1.1 Motivation gency Readiness Team (US-CERT), has recently observed that an effective DDoS defense solution that can handle It is necessary to enhance the performance of alert cor- DDoS attacks of all types well, is still lacking [42]. In relation and also to minimize the damage from attacks. International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 31

Some techniques for alert correlation have been presented misuser usually follows a sequential procedure to violate by Ning et al. [29]. These techniques are two complemen- security policies creating a sequence with earlier steps tary alert correlation methods based on alert attributes’ preparing for the later ones. These steps may result in similarities, and attack prerequisites and consequences. alerts. These alerts can be used to discover the attacker’s In particular, the work is based on the indirect causal action. relationships between alerts. Zhu and Ghorbani [46] demonstrate a method using Our work’s aim is to confirm the presence of TCP- learning techniques: Multilayer Perceptrons (MLP) [34] SYN flooding DDoS activity by analyzing causal infor- and Support Vector Machines (SVM) [21]. The outputs mation for alert analysis in the network traffic using of these techniques can be converted to probabilities and Granger Causality. In varied fields like economics [20], then combined for evaluation of correlation between pre- neuroscience [13] and cardiovascular control [31], Granger vious alerts and current alerts. This suggests a causal Causality analysis has been used to study data series to relationship between two alerts, helping in the construct- uncover the presence of causal behavior. ing attack scenarios. Roschke et al. [33] use prior knowledge about the target 1.2 Background system for an efficient correlation process. They design a correlation algorithm based on attack graphs (AG). The The components of an intrusion detection system cooper- existing vulnerabilities and their AGs are used for rep- atively gather and produce a concise summary of events resentation of environment information and potential ex- on the network with respect to security. The IDS also ploits. establishes correlation among the collected alerts. To do Kang and Mohaisen [24] design a system to reduce the so, it may use an alert correlation procedure. This corre- number of false positive alerts. These false positive alerts lation procedure can be divided into multiple steps where are generated by the existing DDoS mitigation methods each step performs a part of the whole task. The perfor- along with true alerts. The authors perform a preliminary mance of the correlation process depends upon the serial analysis of real DDoS data. They also propose a system execution by these steps. The total time needed can be that uses ensemble classifier techniques to work in tandem derived by adding the number of processed alerts by each with the existing rule-based system to ease the burden on step. the mitigation team. Elshoush and Osman [15] propose a new correlation Wang and Chiou [44] develop a system to extract at- framework based on a model that reduces the number of tack strategies using dynamic feature weights. It extracts processed alerts as early as possible by discarding irrele- attack scenarios from attackers by observing the connec- vant and false alerts in the first phase. Modified algorithm tivity and relationships among the receiving alerts. for fusing the alerts is also proposed. The intruders’ in- GhasemiGol and Bafghi [17] develop an intrusion-alert tentions are grouped into attack scenarios and thus used correlation system based on the the information found in to detect future attacks. the raw alerts without using any pre-constructed knowl- Li and Tian [28] propose an alert correlation approach edge. They define the concept of alert partial entropy and based on their XSWRL ontology. They focus on how to use it to find alert clusters with the same information. develop the intrusion alert correlation system according These alert clusters are represented as hyper-alerts, and to an alert correlation approach. They use a system with a graph of hyper alerts provide a global view of intrusion multiple agents and sensors. The sensors collect security alerts. relevant information, and the agents process the infor- Raftopoulos and Dimitropoulos [32] introduce an mation. The State Sensor collects information about the IDS alert correlator called Extrusion Detection Guard security state and the Local State Agent and Center State (EDGe). It detects infected hosts within a monitored Agent pre-process the security state information and con- network from IDS alerts. EDGe detects several malwares vert it to ontology. The Attack Sensor collects informa- that exhibit multi-stage behavior. It can also identify the tion about the attack, and the Local Alert Agent and family and even variants of certain malware to re-mediate Center Alert Agent pre-process the alert information and and prioritize incidents. convert it to ontology. The Attack Correlator correlates the attacks and outputs the attack sessions. Bateni et al. [4] discuss an automated alert correlation 1.3 Contribution process, in which they use Fuzzy Logic [26] and an Artifi- cial Immune System (AIS) [22]. This approach discovers We make the following contributions in this paper. and learns the degree of correlation between two alerts. This knowledge is used to understand the attack scenar- • We introduce TCP-SYN flooding DDoS attack con- ios. Based on its fuzzy rules, the system computes the firmation mechanism based on the causal behavior in correlation probabilities. the network traffic using Granger causality. Yu and Frincke [45] propose a novel framework called Hidden Colored Petri-Net for Alert Correlation and Un- • We establish and validate the proposed method using derstanding (HCPN-ACU). According to them, a system benchmark and our own DDoS traffic datasets. International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 32

Figure 2: Example of Granger causality

1.4 Organization The organization of the paper is as follows. Section 2 in- troduces Granger Causality and TCP Flooding attacks. Section 3 presents the framework for detection of TCP- SYN flooding attacks and experimental results. Finally, Figure 3: The mathematical picture Section 4 provides the concluding remarks and future scope of the work. dependent on each other. When is it justified to say that 2 Granger Causality and TCP the one series X causes the other series Y? Questions of this kind are important when planning to devise actions, Flooding implementing new policies, or subjecting patients to a treatment. Nonetheless, the notion of causality has been 2.1 Granger Causality evasive and formal approaches to define causality have Detecting causal behavior among variables is an impor- been much debated and criticized. tant issue in statistics, although it remains a problem without a guaranteed solution. Granger causality was Granger Causality vs Causality introduced in 1960 for testing causal behavior among variables and applications of Granger causality in neu- • Granger Causality measures whether X happens be- roscience have recently become popular. According to fore Y and helps predict Y. Granger, the causality relationship follows two princi- ples: [19], • X Granger-Causing Y may entail real causality, but we can’t be sure. 1) The cause happens prior to its effect, and • If X does not Granger-Cause y, we can be more con- 2) Unique information is contained in the cause about fident about X does not cause Y. the future values of its effect.

Granger causality can be used to find causal relation 2.2 DDoS attack among variables. The concept of Granger causality is based on the ability to predict. in Figure 2, we see if DDoS attacks are intended to deny legitimate users access a data series X “Granger-Causes” (“G-Causes”) another to network resources. As shown in Figure 4, an attacker data series Y, we can predict that past values of X might launches the attack through some handlers and zombies contain information to predict Y, and we can also predict creating a botnet. In a botnet, there may be hundreds or beyond past values of Y alone. So, using the F-test or thousands of compromised sources that generating volu- the t-test we can devise a G-Cause test as a hypothesis minous traffic to flood the victim. It is extremely difficult test, as shown in Figure 3, to identify whether one time to differentiate legitimate traffic from attack traffic. The series can forecast another time series. Suppose that X sources may be spread across all over the globe [1,3,35,40]. and Y are two stationary time series that are statistically In early days, DDoS attacks were launched in 4 steps: International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 33

Figure 4: DDoS attack scenario

scanning, trade-off, deployment and propagation. Grad- ually, automation has been introduced into each of these steps, although the steps are still similar.

1) The attacker collects network configuration informa- tion using port scanners to identify vulnerabilities in the network.

2) The attacker exploits identified vulnerabilities to Figure 6: Framework for attack confirmation launch the attacks.

3) If the attack launch is successful, the attacker in- 2.3 Causality in TCP Flooding Traffic stalls additional software to manage continuous ac- As we have observed already, during a TCP flooding cess channels in the network. attack, the number of unknown IP addresses changes rapidly, and the number of ports used by these IP ad- 4) The attacker tries to clean up any evidence left due dresses is much higher, and they change rapidly. We hy- to the previous actions. In this step, daemons that pothesize that there is a causal relationship between the crashed (during the second step) are restarted, logs entropies of source-IP variation and port variation. Dur- are cleared and modified system software designed ing the attack time frame, the variations in entropy affect to hide the presence of rogue software from normal each other. The concept of Granger causality gives us a system commands is installed. way to analyze the pattern of IP address variation entropy and port number variation entropy when abnormal traffic is injected in to the network. 2.2.1 TCP SYN Floods A SYN flood is a form of denial-of-service attack in which 3 Framework and Results an attacker sends a succession of SYN requests to a tar- get’s system in an attempt to consume enough server re- We define the problem as follows. sources to make the system unresponsive to legitimate traffic. Manipulating the 3-way handshake in a TCP con- Problem Statement: The objective is to discover nection, an attacker sends a lot of ordinary SYN segments TCP flooding DDoS attacks in network traffic, whether to the victim machine to create a TCP flooding attack. A the attack traffic is low rate or high rate by evaluating TCP SYN flood is successful when the victim machine’s the causality in network traffic using Granger causality. TCP connection queue gets exhausted, thus denying legit- imate requests. A TCP flooding attack at a medium rate can also create disturbances in routers. TCP SYN flood- Datasets and Experimental Setup: We use MAT- ing is an asymmetric attack because a weak attacker can LAB R2016a 64 bit edition for our experiments, and per- halt a very powerful system. When a lot of users simul- form our experiments on a workstation with a 2.30Ghz taneously access a website for the same resource, it can processor, 64 GB RAM and a 64 bit Windows 10 op- lead to unavailability of the website temporarily creating erating system. In our experiments, we consider TCP flash traffic [5, 6]. traffic from four standard benchmark datasets. The first International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 34

Figure 5: Experimental setup one is the MIT-DARPA dataset [27] of normal and at- from the master. When the client program starts, it con- tack traffic. The second one is CAIDA-2007 DDoS attack nects to the server whose IP is specified as input to the traffic [16]. The MIT–DARPA and CAIDA–2007 datasets client program. contain both low rate and high rate DDoS traffic traces. The third dataset is the ISCX-IDS dataset [41]. The last 3.1 Procedural Framework and Results one is the TU-DDoS dataset for which we use the TU- CANNON tool for generation of the TCP flooding traffic Figure 6 shows the framework of our method as well as the using our own environment as shown in Figure 5 [9]. sequence of steps in our algorithmic procedure. There are four basic steps, viz., (a) Pre-processing, (b) Aggregation, (c) Attack strategy analysis, and (d) Attack confirmation. TU–CANNON Tool: Two main programs are exe- The execution processes and the results are discussed be- cuted in this traffic generation tool, viz., a server pro- low. gram and a client program. Using the server program, communication is established with the machines (bots) in the test-bed. This program can be used to generate 3.1.1 Pre-processing different traffic streams having different properties such To establish the causal behavior in the network traffic, as the protocol type (TCP, UDP and ICMP), the attack the arrival time of the packets, the source address and the pattern (constant rate attack, increasing rate attack and destination port need to be considered in our approach. pulsing attack) and the type of source IP (actual IP of Source IP values are in IPV4 format. Our procedure isn’t the machine or randomly generated, valid but spoofed IP concerned about the format of the IP addresses, whether address), the number of threads (where each thread ex- in IPV4 or IPV6 format, as we convert them to decimal. ecutes one copy of the slave program inside a single bot machine) and the range of ports of the victim to send 3.1.2 Aggregation the traffic [3]. As shown in Figure 5, we divide the com- puters for three separate functions. One computer exe- In aggregation, the main focus is all about gathering simi- cutes the TU–CANNON master program and this com- lar alerts together. We can see different definitions of alert puter recruits four other computers as slave, where the aggregation in the literature. According to some, alerts TU–CANNON slave program executes. When the mas- are said to be similar to each other if their attributes are ter starts, it waits for slaves to connect to it. The last similar except time difference. On the other hand, some computer captures the attack traffic. The client program enhance the concept of aggregation as clustering or group- is used to send the attack traffic as per the command sent ing all the alerts having the same root cause. Due to the International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 35

Figure 7: Hurst parameter values for different types of traffic

Table 1: Success rates for different network traf- fic/datasets Dataset/Traffic Used Accept/Reject Success NULL Hypothesis rate (%) MIT–DARPA Normal Accept 96 Traffic ISCX Normal Traffic Accept 97 MIT DARPA Attack Reject 97 Traffic CAIDA–2007 High- Reject 97 rate Attack Traffic CAIDA–2007 Low- Reject 98 rate Attack Traffic ISCX Attack Traffic Reject 95 TUCANNON Gener- Reject 98 Figure 8: Source IP and port entropy variations for nor- ated mal traffic

large number of alerts produced by low-level sensors for a single malicious activity, alert aggregation has proven to be highly effective in reducing alert volume. Similar alerts tend to have similar root causes or similar effects on resources of the Internet. Clustered alerts are suitable for analysis by administrators and facilitate analysis for identification of causality or false positive analysis. In our experiment, we use Hurst parameter-based self-similarity evaluation of traffic with abnormal patterns [12]. Nor- mal and abnormal traffic patterns are grouped depending upon the evaluated Hurst parameter value. In Figure 7, we can distinctly separate normal and abnormal traffic based on the Hurst value. Our aim is not only to sep- Figure 9: Source IP and port entropy variations for attack arate normal and abnormal traffic, but also to confirm traffic the presence of TCP flooding attack by analyzing causal behavior of the abnormal traffic. International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 36

Table 2: Execution time for different attack traffic datasets with varying numbers of incoming packets Time (in Sec.) Datasets 500 Packets 1000 Packets 2000 Packets MIT–DARPA Normal 0.080 0.118 0.122 ISCX Normal 0.078 0.115 0.119 MIT DARPA Attack 0.082 0.120 0.125 CAIDA–2017 High–rate Attack 0.080 0.119 0.121 CAIDA–2017 Low–rate Attack 0.079 0.117 0.120 ISCX Attack 0.081 0.118 0.123 TU-CANNON Generated Attack 0.084 0.120 0.122

3.1.3 Attack Strategy Analysis 3.1.4 Attack Confirmation If a time series is a stationary process, statistical t-test The source IP variation entropy and port variation en- is performed using the level values of two (or more) vari- tropy are shown in Figures 8 and 9, for the attack traffic ables. If the variables are non-stationary, then the test is generated in our setup and for normal traffic, respectively. performed using the first (or higher) differences. Any par- Based on the F-test, we confirm whether the TCP Flood- ticularly lagging value of one of the variables is retained ing attack has occurred or not in the network traffic. If in the regression if the null hypothesis gets accepted, it confirms the presence 1) It is significant according to a t-test, and of TCP flooding attack. The success rates of acceptance or rejection of NULL hypothesis for different datasets has 2) It and the other lagging values of the variable jointly been tabulated in Table 1. A couple of the datasets con- add explanatory power to the model according to an tain high-rate and low-rate DDoS traffic traces. In Ta- F-test. ble 2, we show execution times for different attack traffic The null hypothesis of Granger causality is not rejected if datasets with varying numbers of incoming packets. and only if no values of an explanatory variable have been retained in the regression. We use F-test for evaluation of Granger causality. Table 1 shows acceptability of the null hypothesis and also success rate of acceptance or rejection 3.2 Comparison of null hypothesis for different network traffic datasets. In the past, several authors have explored alert correla- [F, CV]=Grangercause(X, Y, α, Maxlag): The tion for network traffic analysis to detect attack scenarios. various terms in the formula are explained below. From However, our approach in this paper differs significantly F-test, we can obtain two output values: F and CV (Crit- from [29], [45], [46], [4], [17], and [44]. In Table 3, we show ical Value). a comparison of our method with these methods. X: Port entropy variation in abnormal traffic group. Y: Source IP address entropy variation in the abnormal traffic group. Both entropy values, X and Y follow 4 Conclusion and Future Direc- Shannon entrop [38]. tion α: Value of the significance level can be set by the user (α = 0.05). The significance level, denoted as alpha To confirm the occurrence of a TCP flooding DDoS at- (α), is the probability of rejecting the null hypothe- tack, it is essential to analyze the abnormal traffic as sis when it is true. For example, a significance level quickly as possible. In network anomaly detection, it is of 0.05 indicates a 5 percentage risk of concluding highly beneficial to achieve false positive and false neg- that a difference exists when there is no actual dif- ative rates as close to zero as possible. Keeping this in ference [23]. mind, we develop our approach to confirm the presence of TCP flooding DDoS attacks based on causal behavior in Maxlag: Maximum lag value among two time series. network traffic using Granger causality. We demonstrate Optimum lag length selection is chosen using the that the method performs satisfactorily over benchmark Bayesian Information Criterion [36]. datasets. The F-test evaluation on traffic datasets con- Output: If F > CV, we reject the null hypothesis that firms the attack in the traffic distinctly. Source IP address entropy does not Granger-Cause In future, we plan to study the causal behavior in other Port entropy variation. Otherwise, we accept the null flooding DDoS attack types. We also aim to explore the hypothesis. applicability of our approach in Ad–hoc network. International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 37

Table 3: Comparison with [29], [45], [46], [4], [17], and [44] Author, Year Aim Approach Dataset(s) Performance Used Ning et To build attack scenarios Integration of comple- MIT- Construction of integrated al. [29], 2004 mentary alert correla- DARPA correlation graph tion 2000 Yu and To create a model for Construction of a MIT- False alert rate is 93-95 % Frincke [45], attacker behaviors, intru- framework, using Hid- DARPA 2004 sion prerequisites and con- den Colored PetriNet 2000 sequences, security poli- for alert correlation cies and alerts and understanding Zhu and To extract attack strate- Use of Multilayer Per- MIT- Construction of graph rep- Ghor- gies automatically from a ceptron (MLP) and DARPA resenting attack strate- bani [46], large volume of intrusion Support Vector Ma- 2000 gies, the training results 2006 alerts chine (SVM) of MLP and SVM are 0.0002-0.9900 and 0.1252- 0.9926, the correlation weight in alert correla- tion matrix (ACM) is in range from 0.01 to 3533.93 and the forward correla- tion strength in ACM is in range from 0 to 0.857 Bateni et To build automated alert Use of Artificial Im- MIT- For 1000 alert, execution al. [4], 2013 correlation mune System and DARPA time is 19 seconds and Fuzzy Logic 2000 for 2000 alerts, execution time is 76 seconds GhasemiGol To build an entropy-based Use of prior informa- MIT- Reduction ratio of 99.98% and Ghaemi- alert correlation system tion in raw alerts with- DARPA Bafghi [17], out using any prede- 2000 2014 fined knowledge Wang and To build an alert corre- Use of equality con- MIT- Provides precise attack Chiou [44], lation system with auto- straint sets (ECS) and DARPA scenarios, the value of 2016 matic extraction of attack storage in the alert cor- 2000 alert correlation matrix strategies relation matrix (ACM) (ACM) is in range from 0 to 241.64 and the forward correlation strength is in range from 0 to 1 Our Work, To discover TCP flooding Using Granger causal- MIT- Success rate is 95-98%. This paper DDoS attacks in network ity to evaluate the DARPA Execution times are 0.078- traffic alert causality in network 2000, 0.084, 0.115-0.120, and traffic CAIDA-2007 0.119-0.125 seconds for (contains 500, 1000 and 2000 pack- both low- ets, respectively rate and high-rate), ISCX-IDS dataset and TU-DDoS dataset (using TU- CANNON)

References Network Security, vol. 19, no. 2, pp. 244–250, 2017.

[1] A. A. Ahmed and N. A. K. Zaman, “Attack inten- [2] A. A. Al-khatib and W. A. Hammood, “Mobile mal- tion recognition: A review,” International Journal of ware and defending systems: Comparison study,” In- International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 38

ternational Journal of Electronics and Information [17] M. GhasemiGol and A. Ghaemi-Bafghi, “E- Engineering, vol. 6, no. 2, pp. 116–123, 2017. correlator: an entropy-based alert correlation sys- [3] R. C. Baishya, N. Hoque, and D. K. Bhattacharyya, tem,” Security and Communication Networks, Wiley “DDoS attack detection using unique source IP de- Online Library, vol. 8, no. 5, pp. 822–836, 2015. viation,” International Journal of Network Security, [18] S. Goswami, N. Hoque, D. K. Bhattacharyya, and vol. 19, no. 6, pp. 929–939, 2017. J. Kalita, “An unsupervised method for detection of [4] M. Bateni, A. Baraani, and A. Ghorbani, “Using ar- XSS attack,” International Journal of Network Se- tificial immune system and fuzzy logic for alert cor- curity, vol. 19, no. 5, pp. 761–775, 2017. relation,” International Journal of Network Security, [19] C. W. J. Granger, “Investigating causal relations vol. 15, no. 3, pp. 190–204, 2013. by econometric models and cross-spectral methods,” [5] S. Behal and K. Kumar, “Characterization and com- Econometrica: Journal of the Econometric Society, parison of DDoS attack tools and traffic generators: JSTOR, pp. 424–438, 1969. A review,” International Journal of Network Secu- [20] C. W. J. Granger, B. N. Huangb, and C. W. Yang, rity, vol. 19, no. 3, pp. 383–393, 2017. “A bivariate causality between stock prices and ex- [6] S. Behal, K. Kumar, and M. Sachdeva, “Discriminat- change rates: evidence from recent Asian flu,” The ing flash events from DDoS attacks: A comprehen- Quarterly Review of Economics and Finance, Else- sive review,” International Journal of Network Secu- vier, vol. 40, no. 3, pp. 337–354, 2000. rity, vol. 19, no. 5, pp. 734–741, 2017. [21] Marti A. Hearst, Susan T Dumais, Edgar Osuna, [7] D. K. Bhattacharyya and J. K. Kalita, Network John Platt, and Bernhard Scholkopf, “Support vec- anomaly detection: A machine learning perspective. tor machines,” IEEE Intelligent Systems and their CRC Press, 2013. applications, vol. 13, no. 4, pp. 18–28, 1998. [8] D. K. Bhattacharyya and J. K. Kalita, DDoS attacks: [22] Steven A Hofmeyr and Stephanie Forrest, “Immunity evolution, detection, prevention, reaction, and toler- by design: An artificial immune system,” in Proceed- ance. CRC Press, 2016. ings of the 1st Annual Conference on Genetic and [9] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Evolutionary Computation-Volume 2, pp. 1289–1296. Kalita, “Towards generating real-life datasets for net- Morgan Kaufmann Publishers Inc., 1999. work intrusion detection,” International Journal of [23] Tse-Chi Hsu and Leonard S Feldt, “The effect of lim- Network Security, vol. 17, no. 6, pp. 683–701, 2015. itations on the number of criterion score values on [10] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. the significance level of the f-test,” American Educa- Kalita, Network Traffic Anomaly Detection and Pre- tional Research Journal, vol. 6, no. 4, pp. 515–527, vention: Concepts, Techniques, and Tools. Springer, 1969. 2017. [24] A. R. Kang and A. Mohaisen, “Automatic alerts an- [11] A. Chaudhary, V. N. Tiwari, and A. Kumar, “A new notation for improving DDoS mitigation systems,” in intrusion detection system based on soft comput- IEEE Conference on Communications and Network ing techniques using neuro-fuzzy classifier for packet Security (CNS), pp. 362–363, Philadelphia, PA USA, dropping attack in manets,” International Journal of 2016. IEEE. Network Security, vol. 18, no. 3, pp. 514–522, 2016. [25] Kaspersky. “Kaspersky DDoS intelligence report [12] R. K. Deka and D. K. Bhattacharyya, “Self-similarity for Q1 2016,” 2016. (https://securelist.com/ based DDoS attack detection using Hurst parame- kaspersky-ddos-intelligence-report) ter,” Security and Communication Networks, Wiley [26] George Klir and Bo Yuan, Fuzzy sets and fuzzy logic, Online Library, vol. 9, no. 17, pp. 4468–4481, 2016. vol. 4. Prentice hall New Jersey, 1995. [13] M. Ding, Y. Chen, and S. L. Bressler, “Granger [27] Massachusetts Institute of Technology (MIT) Lin- causality: basic theory and application to neuro- coln Laboratory. “DARPA intrusion detection data science,” arXiv preprint q-bio/0608035, 2006. sets,” 2000. (https://www.ll.mit.edu/ideval/ [14] R. H. Dong, D. F. Wu, and Q. Y. Zhang, “The in- data/) tegrated artificial immune intrusion detection model [28] W. Li and S. Tian, “An ontology-based intrusion based on decision-theoretic rough set,” International alerts correlation system,” Expert Systems with Ap- Journal of Network Security, vol. 19, no. 6, pp. 880– plications, Elsevier, vol. 37, no. 10, pp. 7138–7146, 888, 2017. 2010. [15] H. T. Elshoush and I. M. Osman, “An improved [29] P. Ning, D. Xu, C. G. Healey, and R. St. Amant, framework for intrusion alert correlation,” in Pro- “Building attack scenarios through integration of ceedings of the World Congress on Engineering, complementary alert correlation method,” in Net- vol. 1, pp. 1–6, Imperial College London, London, work and Distributed System Security Symposium, U.K., 2012. vol. 4, pp. 97–111, Catamaran Resort Hotel San [16] CAIDA (Center for Applied Internet Data Analysis). Diego, California, USA, 2004. “CAIDA-2007 data,” 2007. (https://www.caida. [30] E. Popoola and A. O. Adewumi, “Efficient feature org/data/passive/ddos-20070804_dataset.xml) selection technique for network intrusion detection International Journal of Network Security, Vol.21, No.1, PP.30-39, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).05) 39

system using discrete differential evolution and de- [42] US-CERT. “Udp-based amplification attacks,”, cision,” International Journal of Network Security, 2015. vol. 19, no. 5, pp. 660–669, 2017. [43] Verisign. “Q4 2016 DDoS trends report: 167 [31] Alberto Porta, Tito Bassani, Vlasta Bari, Gian D percent increase in average peak attack size from Pinna, Roberto Maestri, and Stefano Guzzetti, “Ac- 2015 to 2016,” 2016. (https://blog.verisign. counting for respiration is necessary to reliably in- com/security) fer Granger causality from cardiovascular variability [44] C. H. Wang and Y. C. Chiou, “Alert correlation sys- series,” IEEE Transactions on Biomedical Engineer- tem with automatic extraction of attack strategies by ing, vol. 59, no. 3, pp. 832–841, 2012. using dynamic feature weights,” International Jour- [32] E. Raftopoulos and X. Dimitropoulos, “IDS alert cor- nal of Computer and Communication Engineering, relation in the wild with edge,” IEEE Journal on IACSIT Press, vol. 5, no. 1, p. 1, 2016. Selected Areas in Communications, vol. 32, no. 10, [45] D. Yu and D. Frincke, “A novel framework for alert pp. 1933–1946, 2014. correlation and understanding,” in The Second In- [33] S. Roschke, F. Cheng, and C. Meinel, “A new alert ternational Conference on Applied Cryptography and correlation algorithm based on attack graph,” Com- Network Security, (ACNS 2004), vol. 4, pp. 452–466, putational intelligence in security for information College Park, Maryland, USA, 2004. systems, pp. 58–67, 2011. [46] B. Zhu and A. A. Ghorbani, Alert correlation for [34] Dennis W Ruck, Steven K Rogers, Matthew extracting attack strategies. University of New Kabrisky, Mark E Oxley, and Bruce W Suter, “The Brunswick, Canada, 2005. multilayer perceptron as an approximation to a bayes optimal discriminant function,” IEEE Transactions on Neural Networks, vol. 1, no. 4, pp. 296–298, 1990. Biography [35] I. Sattar, M. Shahid, and Y. Abbas, “A review of techniques to detect and prevent distributed denial Rup Kumar Deka is a research Scholar in the Com- of service (DDoS) attack in cloud computing envi- puter Science & Engineering Department at Tezpur Uni- ronment,” International Journal of Computer Appli- versity. His research areas include Network Security, Net- cations, Foundation of Computer Science, vol. 115, work Management and Cryptography. Mr. Deka has com- no. 8, 2015. pleted B.E. and M.Tech. degree in computer science and [36] G. Schwarz, “Estimating the dimension of a model,” is currently pursuing Ph. D. degree. The annals of statistics, vol. 6, no. 2, pp. 461–464, Dhruba Kumar Bhattacharyya is a Professor in the 1978. Computer Science & Engineering Department at Tezpur [37] V. M. Shah and A. K. Agarwal, “Reliable alert fu- University. His research areas include Machine Learn- sion of multiple intrusion detection systems,” Inter- ing, Network Security and Bioinformatics. Prof. Bhat- national Journal of Network Security, vol. 19, no. 2, tacharyya has published more than 250 research papers in pp. 182–192, 2017. the leading international journals and conference proceed- [38] C. E. Shannon, “A mathematical theory of communi- ings. In addition, Dr Bhattacharyya has written/edited cation,” Bell system technical journal, vol. 27, no. 3, more than 13 books. pp. 379–423, 1948. [39] S. Sivabalan and P. Radcliffe, “Power efficient secure Jugal Kumar Kalita is a Professor in the Department web servers,” International Journal of Network Se- of Computer Science, College of Engineering and Applied curity, vol. 20, no. 2, pp. 303–311, 2018. Science, University of Colorado, Colorado Springs, United [40] J. R. Sun and M. S. Hwang, “A new investigation States. Dr. Kalita’s research areas include Artificial In- approach for tracing source IP in DDoS attack from telligence, Bioinformatics, Natural Language Processing, proxy server,” in International Computer Sympo- Machine Learning and Network Security. He has pub- sium (ICS 2014), pp. 850–857, Tunghai University, lished around 200 research papers in the leading interna- Taichung, Taiwan, 2014. tional journals and conference proceedings. In addition, [41] University of New Brunswick (UNB). “Intrusion Prof. Kalita has written/edited 4 books. detection evaluation dataset (iscxids2012),” 2912. (http://www.unb.ca/cic/datasets/ids.html) International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 40

New Hierarchical Identity Based Encryption with Maximum Hierarchy

Dasari Kalyani1, R. Sridevi2 (Corresponding author: D. Kalyani)

Department of Information Technology, VNR Vignana Jyothi Institute of Engineering and Technology1 Vigana Jyothi Nagar, Bachupally Road, Pragathi Nagar, Hyderabad, Telangana 500090, India Department of Computer Science and Engineering, Jawaharlal Nehru Technological University Hyderabad2 Kukatpally, Hyderabad, Telangana 500085, India (Email: kalyani [email protected]) (Received Oct. 9, 2017; revised and accepted Apr. 21, 2018)

Abstract can decrypt these messages. This idea was presented by Shamir [27], an prototype solution was proposed in [5,6], Identity Based Encryption (IBE) is a type of public-key and the primary completely IBE framework were por- encryption in which the public key of a user has some trayed by Boneh and Franklin [27] and Cocks [7]. IBE unique information about the identity of the user, and it is frameworks can enormously disentangle the general pop- an important primitive of public cryptography. As far as ulation key foundation for encryption arrangements, yet Hierarchical Identity-Based Encryptions (HIBE) concern, they are still not as general as one might want. Numerous it is rational to view the root PKG (Private Key Genera- associations have a various hierarchical structure, maybe tor) as a trusted party or being unconditionally trusted, with one trusted authority, a few sub-authorities and nu- but those level PKGs should be treated suspiciously in merous individual clients, each have a placing with a little hierarchical identity based setting. To achieve the full piece of the association tree. security, existing schemes suffers a security degradation We might want to have an answer where every special- exponential in the hierarchy depth. In this paper, we pro- ist can assign keys to its sub-authorities, who can con- pose Hierarchical Identity-Based Encryption with maxi- tinue appointing keys additionally down the hierarchy to mum hierarchy extension to Boneh IBE under Decisional the clients. The length of the hierarchy order can run Bilinear Diffie-Hellman (DBDH) assumption in standard from a few in little associations, up to at least ten in huge security model. To overcome key escrow problem chal- ones. An IBE framework [14] that permits lower authori- lenge in HIBE, we proposed a new method that overcomes ties as above is called Hierarchical Identity-Based Encryp- key escrow by having maximum Hierarchy length. This tion (HIBE). In HIBE [15, 16], messages are encoded for is due to sequential manner in the key generation, means character vectors, noting as nodes in the hierarchy chain. that level PKGs does not have the ability of determin- This idea was presented by Horwitz and Lynn [8], who ing valid private keys without other level private keys. likewise depicted a partial solution for it, and the pri- Correctness and security analysis of the scheme is also mary fully functional HIBE framework was portrayed by discussed. Gentry and Silverberg [33]. Keywords: Ciphertext; IBE; HIBE; Key Escrow; Public In traditional hierarchical identity based cryptosys- Key Cryptography; Random Oracle tems, non-leaf entities as level Private Key Generators (PKG) are usually capable of deriving private keys for their descendants with use of their private keys. The 1 Introduction non-leaf entities can therefore act (decrypt or sign) on the behalf of their arbitrary descendants. This is called Identity-Based Encryption (IBE) [24] is a public-key en- key escrow problem of HIBC. In [18], the authors pro- cryption scheme where ones public key can be unre- posed a secure key issuing protocol for IBE which is also servedly set to any unique identity (for example, one’s extends to key generation of HIBE with coalition of other identity). An authority that holds a master secret key threshold [22,29] and multi level access structures [28,30] can take any arbitrary identifier and extract a secret key to distribute the decryption key to the receiver. corresponding to this identifier. Anyone can then en- The dual system technique has been successfully used crypt messages using the identifier as a public encryption to obtain adaptive security for not only (H)IBE [3,32] but key, and only the holder of the corresponding secret key also more expensive Fully Encryption (FE) [8,20,34]. Re- International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 41 cently, the dual system technique helped us to go further. The first construction of HIBE is due to Gentry and Chen and Wee [9, 10] applied the dual system technique Silverberg [12] where the security is based on the random in a novel way and gave an IBE with security loss only oracle model. Subsequently, Boneh and Boyen [4] pre- related to system parameters. sented a HIBE without random oracles in the selective- Initial idea and motivation of identity-based encryp- ID model [25]. The best known HIBE constructions, both tion introduced by Shamir [27] where a public key can be with and with- out random oracles, are based on bilinear the identity string of a user such as an e-mail address. Al- maps (Boneh et al., 2005; Boyen and Waters, 2006; Gen- though practical solutions proposed by different authors try and Halevi, 2009; Waters, 2009). More recent HIBE for IBE, Key escrow is well known problem in an iden- schemes are built over lattices proposed by Agrawal et tity based encryption. In order to resolve key escrow al. [1,2]. In all these constructions, the sizes of ciphertexts problem in IBE, Gentry and Silverburg [33] given con- and private keys, as well as the decryption cost, grow lin- struction of HIBE [19, 26] is which the security is based early with the identity depth. Boneh et al. [12] proposed on the random oracle model. Subsequently, Boneh and the first HIBE system with constant size ciphertext and Boyen [4] presented a HIBE without random oracles in without random oracles, whereas the provable security is the selective-ID model. One inherent limitation of previ- under the selective-ID model. ous HIBE schemes [17,21] is that the maximum hierarchy depth should be fixed in the setup phase. In this paper, we address this problem and propose a hierarchical iden- 3 Preliminaries tity based encryption scheme, that is a modification to the We briefly review bilinear maps and bilinear map groups. Boneh et al. [12] HIBE. In this scheme, we included our proposed distributed key issuing protocol [18] to achieve maximum hierarchy with threshold secret key recovery. 3.1 Bilinear Pairings We also present correctness and security analysis of the Let n be a prime number. Let ( , +) be an additive proposed scheme. G1 (+) cyclic group of order q, where q is the prime and The rest of the paper is organized as follows: Section 2 ( , x) be an multiplicative (x) group of order q. A bilin- presents related work and Section 3 gives an overview of G2 ear pairing is a map e : × → with the following preliminaries and Identity Based Cryptography and their G1 G1 G2 properties [31]: extensions. In Section 4, discussed overview of distributed key issuing protocol. In Section 5, we present Hierarchical • Bi-linearity: e(aP, bQ) = e(P,Q)ab where P,Q ∈ ∗ Identity Based Encryption scheme and their correctness. G1, a, b ∈ Zq Security assumptions, analysis and comparative analysis is presented in Section 6. Section 7 we explore possible • Non-degeneracy: e(G, G) 6= 1. Therefore, it is a applications of proposed scheme and other IBE schemes. generator of G2. Concluding remarks are in Section 8. • Computability: There is an efficient algorithm to compute e(P,Q) for all P,Q ∈ G1.

2 Related Work For any a ∈ Zq and P ∈ G1, we write aP as the scalar multiplication of group element P by integer a. Typically, The concept of IBE [27] initially proposed by Adi Shamir G1 is obtained as a subgroup of the group of points on a in 1984 and it remained an open problem for almost two suitable elliptic curve over a finite field, and G2 is obtained decades to come up with a satisfying construction for it. from a related finite field. In 2001, Boneh and Franklin [5] proposed formal secu- For simplicity, we define ID-based encryption systems rity notions for IBE systems and designed a fully func- in the below. tional secure IBE scheme using bilinear maps. Since the pioneering work of Boneh and Franklin [5], many IBE 3.2 Identity Based Encryption schemes [4, 11, 13, 14, 33] were proposed in bilinear maps. Identity-based encryption (IBE) is a kind of public key The main motivation for Identity Based Encryption is to encryption (PKE) that uses any bit-string (e.g., e- mail help the deployment of a public key infrastructure. Boneh address, phone number, or identity) as a public key of a and Franklin [5] were the first to propose a feasible IBE user. Identity-based PKI [12] is the binding between the system based on the Weil pairing in 2001. After shamir’s public/private keys and the individual. In IBE, a single proposal in 1984 [27], it was proposed nearly two decades key generation center (KGC) should issue private keys in 2001. and establish secure channels to transmit private keys of An identity based encryption (IBE) algorithm is a users. To reduce the cost of private key generation of the tuple of algorithms (Setup, KeyDer, Encrypt, Decrypt) KGC in IBE, the concept of hierarchical IBE (HIBE) [7] provides the following features. The trusted third party was introduced such that the KGC delegates the key gen- runs Setup to create a master key (MSK). It out- eration functionality to a lower level KGC [22, 29] using puts public parameters mpk which are kept public and sequential and threshold manner. keeps the master secret key MSK private. At the International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 42

CDH a b ab point when a client with identity ID would like partic- defined as AdvA = P r[A(g, g , g ) = g |a, b ∈ ∗ ipate in the framework, the trusted authority produces Zq . a decryption key dID ← KeyDer(msk, ID), and sends The CDH Assumption is that, for any probabilis- this key over a protected and validated channel to the tic polynomial time algorithm A, the advantage client. To send a scrambled message m to the client AdvCDH is negligibly small. with identity ID, the sender processes the ciphertext A C ← Encrypt(mpk, ID, m), which can be decrypted by Decisional Diffie-Hellman Problem (DDH) - a b 4 ∗ the client as m ← Decrypt(dID,C). Given (g, g , g , h) ∈R G for unknown a, b ∈ Z ,, where G is a cyclic prime order multiplicative group 3.3 Hierarchical Identity Based Encryp- with g as a generator and q the order of the group, the DDH problem in G is to check whether h = gab. tion The advantage of any probabilistic polynomial time al- A HIBE system consists of the following five algorithms gorithm A in solving the DDH problem in G is defined HIBE = (Setup,Extract, Derive, Encrypt, Decrypt). The as root PKG runs the Setup algorithm to output public and AdvDDH = |P r[A(g, ga, gb, gab) = 1] − private parameters for HIBE setting, including a bilinear A P r[A(g, ga, gb, h) = 1]||a, b ∈ ?. pairing as HIBE context, public parameters and master Zq The DDH Assumption is that, for any probabilistic key only known to the root PKG (at level 0). The Ex- polynomial time algorithm A, the advantage AdvA is neg- tract algorithm generates private keys for all identities in ligibly small. hierarchy with master key, public parameters and identi- ties as input, and distributes private keys to their owners via trusted channel. Algorithm Derive functions alike to 4 Distributed Key Issuing Proto- Extract. It is used by ancestor entities to generate private keys for their descendants, or delegate private keys along col hierarchy. The Encrypt algorithm encrypts a message on the intended recipient’s identity. Algorithm Decrypt uses In this section, we present our proposed distributed key the intended recipient private key to decrypt a cipher text. issuing protocol [18] using threshold cryptography. It will be useful for increasing the hierarchy with maximum number of level and recovery of decryption secret is with threshold number of participants. A distributed PKG, KPAs (Key Privacy Authorities) and the user (receiver) have the partial private key of the decryption secret key (S). An HIBE scheme with an (t, n)- distributed PKG along with KPAs and User consists of the following components:

4.1 Overview The proposed protocol divided into five sub phases namely Setup, System public key setup, Key is - suing, Key securing, and Private Key reconstruc- tion. Throughout this algorithm we use KGC - is a PKG, KPAs - intermediate trusted authorities and User is a pri- vate key receiver. Figure 1: Hierarchical ID based encryption Setup: (run by KGC) The KGC selects initial parame- ters such as hash functions, groups under addition 3.4 Security Assumptions and multiplication, bilinear maps, master key and In this subsection we present the complexity assump- calculate the public key. tions [3, 34] required for our construction. System public key setup: (run by KGC and KPAs) Computation Diffie-Hellman Problem (CDH) - Here the KPAs run the Asmuth bloom (t,n) thresh- a b 3 ∗ old scheme and generates the shares for the common Given (g, g , g ) ∈ G for unknown a, b ∈ Z , where Gis a cyclic prime order multiplicative group with g secret. KGC collect shares from KPAs and calculate as a generator and q the q order of the group, the the system public key. ab CDH problem in G is to compute g . Key issuing: (run by KGC and User) In this phase, new The advantage of any probabilistic polynomial time user joins and interact with KGC to collect partial algorithm A in solving the CDH problem in G is private key from KGC. Here User registration and International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 43

KGC response provides partial private key to the • Encrypt(ID|k, M, P arams): It runs a probabilistic user. polynomial time (PPT) algorithm which takes pub- l lic key IDIl = (I1, ··· ,Il) ∈ I , message (or plain Key securing: (run by User and KPAs) User selects any text) M ∈ M, and the params as input along with pair of t+1out of n(n > 2t) or n = 2t+1) KPAs and t, s1, ··· , sk ∈ Zp and outputs cipher text C. run the robust secret sharing algorithm which gives Cipher text is C = (C ,C ,C ,C ), where even t of KPAs corrupted the user able to reconstruct 1 2 i,3 i,4 t.α partial private key with a random value. – C1 = e(f1, f2) .M – C = gt Private Key reconstruction: (run by User) Finally, 2 si user combines the partial private keys issued by – Ci,3 = g ; I1 Ik t KPAs and KGC along with his partial private key – Ci,4 = {(h1 , ··· , hk .f2)}i=1. for the re- construction of original private key which • Decrypt(C,SK , P arams) can be used for decryption of cipher-texts. ID|k It runs a deterministic algorithm which takes cipher

text C for ID|l, private keys of SKID|k for ID|k and 5 Proposed Hierarchical Identity params as input and outputs message M as follows: C .(C ,SK )−1 Based Encryption M = 1 2 IDi,1 . Qk i=1 e(Ci,3,SKID|k ).e(Ci,4,SKID|k ) Let e : G × G → G1 be a bilinear map, where G is a group of prime order P . An identity is defined as ID = 5.1 Correctness ∗ k (I1, ··· ,Ik) ∈ (Zp) , where k is the depth of the hierarchy that the ID belongs to. There are four algorithms: Setup, With cipher text C encrypted with private key SK for each identity ID = ((I , ··· ,I )), the Keygen, Encryption and Decryption. l is the maximum ID|k k 1 k Qk depth of the hierarchy allowed. i=1 e(Ci,3,SKID|k ).e(Ci,4,SKID|k ) is calculated as −1 M.C1.(C2,SKID ) provides consistency of our pro- λ i,1 • Setup(1 ): It runs a probabilistic polynomial time posed HIBE scheme. (PPT) algorithm which takes a security parameter λ as input and outputs mastersecretkey(MSK) and I = {0, 1}λ be the identity space. 6 HIBE Security Analysis

– Select a generator g ∈ G, G is a group of prime In this section, we present security analysis and efficiency order P and obtains a bilinear group; of proposed modified HIBE scheme. The security of (un- bounded) HIBE is defined via the following experiment – Choose f , f ∈ and randomly x, y ∈ ; 1 2 G ZP between a challenger C and an adversary A, denoted by – Compute u = gx and v = gy; HIBE ExpA (λ, n). – Pick randomly h1, h2, ··· , hl ∈ G; Setup. C runs Setup and sends master public key mpk – Calculate MSK = gα, where α = x.y; to A. – Publish public parameters params = Phase 1. A is capable of acquiring secret keys for any (g, f1, f2, h1, h2, ··· , hl). identity vector by making key extraction queries. C answers the query by invoking KeyGen. • Keygen(ID|k, MSK, P arams): It runs a proba- ∗ ∗ bilistic polynomial time (PPT) algorithm which takes Challenger. A submits two messages (m0, m1) of equal k length and a challenge identity vector x∗ with the an identity ID|k = (I1, ··· ,Ik) ∈ I , MSK and restriction that no prefix of x∗ has been requested params as input and outputs private key SKID|k for th in Phase 1. C flips a coin toss β ← {0, 1} and en- k level identity ID in sequential manner to avoid ∗ ∗ crypts mβ under x . The resulting challenge cipher- Key escrow problem. ∗ text CTx∗ is sent back to A. – Choose random exponents r1, ··· , rk ∈ Zp; Phase 2. A can make more key extraction queries with

– Compute SKID|k = (b0 = the restriction above. α Qk−1 Ij r r 0 g .( i=1 hij .g3) , b1 = g ) and bk, ··· bl = Guess. A outputs its guess β ∈ {0, 1}. hr , ··· , hr k l An adversary A wins iff β = β. We use th – Generation of K level private key: HIBE ExpA (, n) = 1 to denote this event. The probabil- ∗ Select a random t ∈ ZP ; ity space is defined by all randomness used by C and A. We define the advantage function of an adversary A as ∗ Compute private key for SKIDk = I (b .bIk .(Qk h j .f )t, b .gt, ht , ··· , ht). HIBE HIBE 0 k j=1 j 2 1 k+1 l AdvA (, n) = |P r[ExpA (, n) = 1] = 1/2|. International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 44

6.1 Security in Standard Oracle Model 7 Applications

We define the security of our scheme equivalent to that of Identity-based encryption (IBE) [13, 27], an important HIBE schemes, but with the adversary choosing a chal- primitive that can be used to ensure the data confiden- lenge pattern instead of an identity to which the challenge tiality for secure communication in several domains. ciphertext will be encrypted. More formally, the IND-CPA (Indistinguishability un- 7.1 Public key Infrastructure (PKI) der Chosen Plaintext Attack) security model is defined through the following game, played between an adversary In the identity-based setting, the public key is bound A = (A1,A2) and a challenger: to the transmitted data while the binding between the private key and the individual is managed by the TA • The challenger generates a master key pair (Trusted Authority). Boneh and Franklin suggested in [5] (mpk, msk) ← Setup. that key escrow can be circumvented by using multiple TAs and threshold cryptography. On the other hand, be- • The adversary runs A1 on mpk. The adversary is cause of this built-in feature, the user always needs to set given access to a key derivation oracle that, on in- up an independent secure channel with his TA for retriev- put of an identity ID = (ID1, ..., IDl), returns the ing private key material. secret key dID ← KeyDer(msk, ID) corresponding to that identity. The adversary outputs two equal- 7.2 Private Messaging length messages (m0, m1) and a challenge pattern P, along with some state information state. The system of a PKI comprises of security and opera- tional arrangements, security administrations, and inter- • The challenger chooses a bit β ← {0, 1} and com- operability conventions supporting the utilization of open putes the ciphertext C ← Encrypt(mpk, P, mβ). key cryptography for the administration of keys and cer- tificates. A PKI empowers the foundation of a trust hier- • The adversary runs A2 on the input C and the state archy. These interesting properties of IBC show the like- information state. The adversary is given access to a lihood of building up an option security framework that key derivation oracle as before. The adversary out- gives more prominent adaptability to substances in- side 0 puts a bit β . an public environment. We discuss proposed PKI structure [11] as follows: A 0 The adversary wins the game if β = β and it never client in this framework is a client who has an arrange- queries the decryption oracle on any identity ID which ment of different clients enlisted with it as contacts. This matches the pattern P, i.e. any identity ID ∈ P . The client enrolment is bi-directional. As it were when client adversary’s advantage is defined as |2P r[Awins] − 1|. A turns into a contact of client B, client B turns into a contact of client A. A client expects to send messages to every one of its contacts. These messages are to be con- 6.2 Efficiency veyed to the client contacts by then of time. This is like The proposed HIBE method having the fixed constant the idea of microblogging. (Illustration: Facebook and ciphertext size, private keys sk, l for Hierarchical path in Twitter). Such a message is identified as an update. the distributed manner. And our scheme achieves public We present the problem of a contact obtaining an up- keys O(k) and private key achieve O(l) size. We have date that it missed anonymously with the following re- presented comparison efficiency of the existing schemes quirements: with our proposed scheme in Table 1. • A user P should be able to simply send its update MP only to those contacts who are available online at the point of time it sends the update using di- Table 1: Comparison efficiency rect connections to those users. We denote the set of online contacts as C+ ⊆ C where |C+| ≥ 1. Schemes Cipher text size sk size pk size [27] O(k) O(k) O(l) • All the contacts of P who were off-line at when P [14] O(1) O(l − k) O(l) sent MP should be able to obtain MP when they are [15] O(k) O(k) O(l) available online. List those contacts as C− ⊂ C. Any − [34] O(1) O(l − k) O(l) CPi ∈ C can publish a query requesting an update 2 2 2 2 2 2 3 [21] O(klnd ) O(k l n d ) O(kn d ) of P that is called QP . 2 2 2 2 2 3 [23] O(lnd ) O(l n d ) O(n d ) + • Any CPi ∈ C will have the capacity to distribute Our O(1) O(l) O(k) a response to a Q . This response is denoted by method P SP and an eavesdropper with polynomially bounded resources should not be able to compute the original MP using SP . International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 45

• The contact who provides SP should not be able to [6] D. Boneh and X. Boyen, “Efficient selective id secure learn who generated QP . The contact who generates identity-based encryption without random oracles,” in Ad- Q and gets the relating S should be able to extract vances in Cryptology, vol. 3027, pp. 223-238, 2004. P P [7] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity M but should not be able to learn who generated P based encryption with constant size ciphertext,” in Ad- SP . vances in Cryptology, vol. 3494, pp. 440-456, 2005. [8] X. Boyen and B. Waters, “Anonymous hierarchical identity • At the point when the creation of C changes to new based encryption (without random oracles),” in Advances 0 arrangement of clients C , P should be able to update in Cryptology, vol. 4117, pp. 290-307, 2006. private setup of the members of C0 with the issue of [9] J. Chen, H. Wee, “Fully tightly secure IBE and dual system a public message. groups,” in Advances in Cryptology, pp. 435460, 2013. [10] J. Chen, H. Wee, “Dual system groups and its appli- • After such an update those clients in the set C − C0 cations compact HIBE and more,” in IACR Cryptology should not be able to obtain an update of P. ePrint Archive, pp. 265, 2014. [11] R. Fnado, B. Bharat, “Mark L - Private anonymous Users in the HIBPKI setting do not need to obtain short- messaging,” in IEEE International Symposium on Reliable Distributed Systems, pp. 430–435, 2012. term private keys from their respective PKGs. This is [12] C. Gentry and A. Silverberg, “Hierarchical id-based cryp- because the users themselves act as PKGs for their local tography,” in Advances in Cryptology, vol. 2501, pp. 548- proxy clients. 566, 2002. [13] C. Gentry, “Practical identity based encryption without random oracles,” in Advances in Cryptology, vol. 4004, pp. 8 Conclusion 445-464, 2006. [14] C. Gentry and S. Halevi, “Hierarchical identity based An Identity-Based Encryptions (HIBE) are concerned, it encryption with polynomially many levels,” in Theory of Cryptography (TCC’09), vol. 5444, pp. 437-456, 2009. is rational to viewed the root PKG (Private Key Genera- [15] C. Gentry, “Practical identity-based encryption without tor) as a trusted party or being unconditionally trusted, random oracles,” in Proceedings of the Advances in Cryp- but those level PKGs should be treated suspiciously in tology, vol. 4004, pp. 445464, 2006. hierarchical identity based encryption. In order to re- [16] J. Horwitz and B. Lynn, “Toward hierarchical identity- solve key escrow problem in HIBE, in this paper, we pro- based encryption,” in Advances in Cryptology, vol. 2332, pose a new efficient hierarchical identity based encryption pp. 466-481, 2002. [17] S. Jahid, P. Mittal, N. Borisov, “EASiER: encryption- scheme standard security model, a modification to the based access control in social networks with efficient revo- proposed by Boneh et al.by avoiding key escrow problem cation,” in ACM (ASIACCS’11), pp. 411415, 2011. with maximum hierarchy. Details of the scheme is pro- [18] D. Kalyani and R. Sridevi, “Robust distributed key issu- vided with level evaluation with encryption privacy and ing protocol for identity based cryptography,” in Interna- correctness of the scheme. Security analysis of the scheme tional Conference on Advances in Computing, Communi- along with comparative analysis are discussed. At end, we cations and Informatics (ICACCI’16), pp. 821-825, 2016. [19] B. Lee, E. Boyd, E. Daeson, K. Kim, J. Yang and S. presented applications of HIBE in public key infrastruc- Yoo, “Secure key issuing in ID-based cryptography,” in ture and private message communication. proceedings of the Second Australian Information Security Workshop (AISW’04), pp.69-74, 2004. [20] A. Lewko and B. Waters, “New techniques for dual sys- References tem encryption and fully secure HIBE with short cipher- texts,” in Theory of Cryptography, vol. 5978, pp. 455-479, 2010. References [21] A. B. Lewko, B. Waters, “Unbounded HIBE and attribute-based encryption,” in Advances in Cryptology, [1] S. Agrawal, D. Boneh, X. Boyen, “Lattice basis delega- pp. 547567, 2011. tion in fixed dimension and shorter-ciphertext hierarchical [22] D. K. Pattipati, A. N. Tentu, V. Ch. Venkaiah, “Sequen- IBE,” in Proceedings of 30th Annual Cryptology Confer- tial secret sharing scheme based on level ordered access ence, pp.98-115, 2010. structure,” International Journal Network Security, pp. [2] S. Agrawal, X. Boyen, Vaikuntanathan, “Functional en- 874-881, 2016. cryption for threshold functions (or fuzzy IBE) from lat- [23] Y. L. Ren and D. W. Gu, “Efficient hierarchical identity tices,” in Proceedings of 15th International Conference on based encryption scheme in the standard model,” Wuhan Practice and Theory in Public Key Cryptography, pp. 280- University Journal of Natural Sciences, vol. 32, no. 2, pp. 297, 2012. 207-211, 2008. [3] O. Blazy, E. Kiltz, J. Pan, “Identity-based encryption from [24] A. Sahai and B. Waters, “Fuzzy identity-based encryp- affine message authentication,” in Advances in Cryptology, tion,” in Advances in Cryptology, vol. 3494, pp. 457-473, pp. 408425, 2014. 2005. [4] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based [25] A. Sahai and B. Waters, “Fuzzy identity-based encryp- encryption with efficient revocation,” in ACM Conference tion,” in Advances in Cryptology, vol. 3494, pp. 457-473, on Computer and Communications Security, pp. 417-426, 2005. 2008. [26] J. H. Seo and K. Emura, “Efficient delegation of key gen- [5] D. Boneh and M. K. Franklin, “Identity-based encryp- eration and revocation functionalities in identity-based en- tion from the weil pairing,” in Advances in Cryptology cryption,” in Cryptology (CT-RSA’13), vol. 7779, pp. 343- (CRYPTO’01), vol. 2139, pp. 213-229, 2001. 358, 2013. International Journal of Network Security, Vol.21, No.1, PP.40-46, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).06) 46

[27] A. Shamir, “Identity-based cryptosystems and signature [34] B. Waters, “Dual system encryption: Realizing fully se- schemes,” in Advances in Cryptology, vol. 196, pp. 47-53, cure IBE and HIBE under simple assumptions,” in Ad- 1984. vances in Cryptology, vol. 5677, pp. 619-636, 2009. [28] A. N. Tentu, A. Basit, K. Bhavani, V. Ch. Venkaiah, “Multi-secret sharing scheme for level-ordered access struc- tures,” Number-Theoretic Methods in Cryptology, pp. 267- Biography 278, 2017. [29] A. N. Tentu, P. Paul, V. Ch. Venkaiah, “Computationally D. Kalyani is working as Assistant Professor in Department perfect compartmented secret sharing schemes based on Information Technology at VNRVJIET, Hyderabad, and also MDS codes,” International Journal of Trust Management pursuing her Ph.D in Computer Science and Engineering from in Computing and Communications, pp. 353-378, 2014. JNTU Hyderabad. where she teaches Information Security [30] A. N. Tentu, V.Ch. Venkaiah, V. K. Prasad, “CRT based Management and Standards for post graduates. Her research multi-secret sharing schemes: Revisited,” International interests focus on the Cryptography and Information Security. Journal of Network Security, vol. 16, no. 4, pp. 249-255, 2018. [31] S. F. Tzeng, M. S. Hwang, “Digital signature with mes- R. Sridevi is a Professor and heading Computer Science and sage recovery and its variants based on elliptic curve dis- Engineering Department at JNTUH College of Engineering crete logarithm problem”, Computer Standards & Inter- Hyderabad, Jawaharlal Technological University Hyderabad. faces, vol. 26, no. 2, pp. 61–71, Mar. 2004. She received her Ph.D in 2010. Her research interests include [32] X. Wang and X. Yang, “Cryptanalysis of two efficient Steganography, Steganalysis, Network security and Cryptogra- HIBE schemes in the standard model,” Cryptology ePrint phy, Computer Networks. She has published more than twenty Archive, vol. 109, no. 2, pp. 189-200, 2011. research papers in reputed journals and eight international and [33] B. Waters, “Efficient identity-based encryption without national conferences. random oracles,” in Advances in Cryptology, vol. 3494, pp. 114-127, 2005. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 47

A Selective Self-adaptive Image Cryptosystem Based on Bit-planes Decomposition

Hossam Diab (Corresponding author: Hossam Diab)

Computer Science Department, College of Computer Science and Engineering, Taibah University, KSA Department of Mathematics and Computer Science, Faculty of Science, Menoufia University Gamal Abd El-Nasir, Qism Shebeen El-Kom, Shebeen El-Kom, Menofia Governorate, Egypt (Email: [email protected], [email protected]) (Received Feb. 13, 2018; revised and accepted June 18, 2018)

Abstract these techniques have been found insecure, particularly with respect to known and/or chosen-plaintext attacks. The intrinsic traits of digital images, such as huge data, Consequently, special techniques to preserve valuable im- data redundancy, and tight relation of neighbor pixels, age information from illicit access should be developed. are usually difficult to handle by classical encryption tech- At present, many image cryptosystems have been pre- niques. Accordingly, this paper suggests an efficient self- sented to handle these issues. In particular, chaos-based adaptive image cryptosystem based on chaotic systems ciphers are considered promising alternatives to the classi- to satisfy the requirements of secure image storage and cal encryption techniques. Especially, the chaotic systems communication. The suggested cipher first decomposes have several good properties such as pseudorandom prop- the input plainimage into eight bit-planes and then di- erty, sensitive dependence on initial system parameters, vides the bit-planes into two groups. A chaotic based and non-periodicity which meet the basic requirements mechanism randomly selects two bit-planes to form the for secure cryptography. Generally, two primitive oper- first group and the remaining bit-planes are assigned to ations are widely employed for image encryption: pixel the second group. The first group is then chaotically en- shuffling and pixel substitution. The shuffling process crypted based on the information extracted from the sec- changes only the location of the pixel to remove the strong ond one along with two extra-generated bits. Further, the correlation between image pixels. On the other hand, presented cipher independently masks the second group the substitution process alters the values of the pixels to by a randomly created key stream related to the cipher spread any slight change across the whole image. Ac- pixel. Visually and computationally, the proposed cipher cordingly, the image encryption techniques are classified is extensively tested against different security attacks and into permutation-only ciphers, substitution-only ciphers the results confirm its good performance. or product ciphers that apply the two processes in conse- Keywords: Bit-Planes Decomposition; Chaos System; Im- quence to achieve high level of security [17, 21, 22]. age Encryption; Security Analysis; Self-Adaptive Encryp- tion 1.1 Literature Review In this section, a brief overview of the techniques related 1 Introduction to the present work is provided. Mitra et al. [21] pre- sented a scheme that combines bit permutation, pixel Digital images are considered one of the most significant permutation, and block permutation to protect digital im- information representation styles. Due to its features of ages. The main features of this method are its simplicity visibility and abundance in information expression (most and low computation load. However, a very large key information we obtained is from vision perceiving), digi- size is required to accomplish bits, pixels, and blocks per- tal images are extensively used. Further, several intrinsic mutations, which accompanied with a flexibility problem features like huge data size, high redundancy, and tight for practical applications. Zhao et al. [47] studied the relation among pixels characterize digital images. Accord- ergodic matrix ciphers (permutation-only ciphers) and ingly, most of the traditional cryptosystems (i. e. DES, developed an efficient decryption algorithm for cracking AES, RC5, RC6, RSA, etc.) are not appropriate for prac- these ciphers. Further, Li et al. [15] demonstrated that tical image protection, indeed, most of these techniques all permutation-only based ciphers can be broken through are basically devoted to text data. Moreover, many of known/chosen-plaintext attacks. In addition, Jolfaei and International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 48

Wu [9] developed an optimal chosen plainimage attack the analysis reveals that the permutation sequence and to crack the pure permutation ciphers. Accordingly, it the diffusion key stream are fixed and independent from is found that the secret permutation alone cannot afford the plaintext which enables the opponent to launch the adequate security levels for image security applications. given attack. Parvin et al. [26] developed an image en- He et al. [7] introduced an encryption technique based cryption scheme involving rows and columns scrambling on a new dynamic system that incorporates an S-box and followed by a substitution process. Their scheme utilized an XOR plus mod operations. Their scheme relied on a combination of two 1D chaotic maps to generate three a new constructed nonlinear chaotic mapping to thwart random sequences to complete the encryption mapping. the grey code and statistical attacks. However, Li [11] Norouzi and Mirzakuchaki [23] analyzed the design issues discovered a serious flaw of the encryption function in [7] of the cipher in [26] and employed a chosen plainimage and showed that the cipher method can be cracked with attack to break the scheme by recovering an equivalent only two selected plainimages. Tong et al. [29] utilized key stream used in the diffusion stage and consequently a compound chaotic system to design a two-phase image the two shuffling sequences of the permutation stage. cryptosystem. Specifically, Tong scheme incorporated two Additionally, based on the excellent properties of bit- phases: in the first phase, the image pixels are substituted level scrambling, which simultaneously modifies the pixel with XOR operation. While in the second phase, a cir- location and its value; several image cryptosystems em- cular shift position permutation is applied to the masked ploying bit permutation have been presented in the lit- image. The two phases are governed by a pseudo-random erature. Zhu et al. [49] presented an image cipher that sequence produced by compound system of two related exploits the chaotic Cat map for bit-level shuffling and chaotic maps. Li et al. [13] scrutinized the security aspects diffuses the image pixels depending on the chaotic Lo- of Tong scheme [29] and pointed out that the cryptosys- gistic map. Xiang et al. [37] suggested a selective image tem can be broken with only three chosen plainimages. cipher in which the most significant four bits of each pixel Furthermore, they demonstrated that the scheme is not are only encrypted and the least significant four bits are adequately sensitive to the modifications of the plainim- left intact. Yen and Guo [42] introduced a bit-level cryp- ages. Pareek et al. [25] introduced an image cipher in tosystem in which the primitive operation of bit rotation which eight distinct kinds of operations are utilized to is employed to mask the image pixels. Teng and Wang [28] mask the image data. A main feature of Pareek scheme presented an image cryptosystem based on chaotic sys- is the derivation of the initial conditions of the chaotic tems and self-adaptive that carries out its operation at map via an external secret key. Li et al. [12] discussed bit-level. Liu and Wang [19] developed a color image en- the security issues of the encryption method presented cryption scheme based on the piecewise linear chaotic map in [25]. They found several problems in Pareek scheme and Chen chaotic system. Specifically, the proposed ap- such as invalid keys, a number of equivalent keys and proach permuted the plainimage at bit-level and simulta- weak keys, which shrink the key space of the cryptosys- neously masked the color components using Chen system. tem. Also, they developed some attacks to a number of Xu et al. [40] developed a novel chaotic cipher based on sub keys. In addition, they proposed a known plainim- the primitive operations of cyclic shift; bit-Xor and swap- age attack model to break the scheme. Wang et al. [33] ping that are employed at bit-level of the image. Zhou introduced an encryption method in which the plaintext et al. [48] used the bit-planes of an auxiliary image as a is encrypted using alternant of the stream and block ci- security key to chaotically encrypt the plainimage. Li et phers. A pseudo-random sequence is employed to deter- al. [16] developed an image cipher using a hyper-chaotic mine which cipher mode is selected. The Wang cryp- system by applying pixel-level and bit-level scrambling. tosystem can be applied to several types of files such as Zhang et al. [43] combined a lightweight bit-level permu- JPEG, DOC, TXT, and WMA. Abdo et al. [1] presented tation and cascade cross circular diffusion to encrypt the an image cryptosystem in which a special type of peri- plainimages to remedy the flaws related to the classical odic boundary elementary cellular automata is employed. chaotic encryption architecture. Zhang et al. [44] inves- In this algorithm, different key streams are generated de- tigated the key features of image bit-planes information pending on the chaotic cellular neural network to encrypt and their distribution. Further, a novel confusion struc- different plainimages. Xiao et al. [39] suggested an image ture using a proposed expand-and-shrink approach was cipher in which the Cat map is exploited to shuffle the presented to encipher color images. Hoang and Thanh [8] image pixels and the Chen chaotic system is employed to identified the defects of the encryption scheme proposed disguise the values of image pixels. Lian et al. [18] pre- in [44] and demonstrated that the cipher lacked the de- sented an image cryptosystem that permutes the plain- pendency on the plainimage information for the diffusion image by the 2D standard map and further diffuses the operation. Moreover, they reported other flaws arisen shuffled image by the Logistic map. Wang and Teng [32] from the isolated location of affected values in the decryp- presented a novel image cryptosystem which uses a Lo- tion. Finally, they restored an equivalent lookup table for gistic map to produce scrambling sequences, shuffle and permutation through a chosen cipherimage attack. Dia- diffuse the RGB channels. Tu et al. [30] analyzed the conu [4] proposed a novel image cipher that applies a new scheme presented in [32] and reported that the cryptosys- circular inter-intra pixels bit-level scrambling mechanism tem is vulnerable to chosen plaintext attack. Specifically, to enhance the encryption effect. Cao et al. [2] developed International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 49 a novel chaotic map based on the combination of Logis- is adjusted to shuffle and mask the higher four bits. Fi- tic map and iterative chaotic map with infinite collapse nally, the encrypted image is obtained by combining the (ICMIC) using a cascade modulation couple model. Ad- masked higher four bits and the lower four bits into one ditionally, they employed the new map in designing a pixel. novel image cipher by applying bit-level scrambling and diffusion simultaneously. Fu et al. [6] presented a new bit-level scrambling strategy using Cat map for design- 1.2 Contribution and Organization of the ing a secure cipher for medical image applications. Zhang Paper and Wang [46] developed a new image cipher by utiliz- In this paper, an effective image cryptosystem based on ing the spatiotemporal dynamics of non-adjacent coupled chaotic systems is suggested to satisfy the needs of se- map lattices. They presented a novel bit-level shuffling cure image transfer. The suggested scheme depends on a mechanism that transmits the bits of one bit-plane to any self-adaptive mechanism that employs the information ex- other bit-plane. As a result, the statistical properties of tracted from a selected group of image bit-planes to make the bit-planes are altered and the key features of the im- the encryption result related directly to the plainimage. age are disguised. Ye [41] employed the Logistic map to The proposed cipher can efficiently mask the bit-planes produce a pseudo-random stream for scrambling the bits information of the plainimage. Specifically, the proposed information of the plainimage. Fu et al. [5] introduced scheme is a fully parameterized mapping that is entirely a two-phase bit-level scrambling process that results in dependent on the plainimage information. Namely, the a considerable diffusion effect by employing Chebyshev parameters of the utilized chaotic systems are strongly map and Cat map. Wang et al. [34] combined the chaotic correlated to the plainimage along with the secret key coupled map lattice and DNA computing to design an ef- materials. Accordingly, for two trivially different images ficient image cipher. The image pixels are firstly masked (only one bit differs), their associated key streams are by a pseudo-random stream generated from the chaotic completely distinct. Thus, the suggested cryptosystem map and then encoded by employing the DNA operations. can effectively fight all sorts of attacks including the most Finally, the cipher image is gained by applying the DNA- powerful chosen/known plainimage attack. level permutation, DNA-level substitution, and DNA de- The rest of this paper is arranged as follows: Sec- coding in consequence. Wang and Luan [31] presented a tion 2 describes the basic tools required for constructing novel image cryptosystem by merging the reversible cel- the proposed cipher. Section 3 depicts the details of the lular automata and the intertwining Logistic map to ap- suggested cipher. Simulated results and security tests of ply the permutation-substitution structure at bit level. the suggested cipher are introduced in Section 4 and Sec- Zhang et al. [45] suggested a novel image cryptosystem tion 5, respectively. Finally, Section 6 draws the main using 3D bit matrix shuffling. The scheme combined the conclusions of the paper. Chen chaotic system and a 3D Cat map to define a new shuffling rule for plainimage permutation. Further, it con- fused the shuffled image by a chaotic key stream generated 2 Preliminaries by employing the Logistic map. Wu et al. [36] analyzed the image cipher introduced in [45] and demonstrated its In this section, the basic theory related to bit-planes de- potential flaws of the employed 3D cat map and insen- composition, Sine-Sine map and 3D intertwining Logistic sitivity to the changes of the plainimage. Further, they map that are employed in our design is briefly discussed. presented a chosen plainimage attack model that success- fully cracked the underlying scheme. In addition, an im- proved variant of the scheme was proposed to overcome 2.1 Bit-planes Decomposition the identified shortcomings of the original scheme. Li et For the gray-images, the pixel value is represented in eight al. [14] presented a novel attack model based on chosen- bits, so the brightness of the pixel is ranging from 0 to 255. plainimage attack to crack the permutation-diffusion ci- Accordingly, each pixel of the image can be transformed phers. They divided this architecture into two indepen- into 8 bits representation as follows: dent models (permutation and diffusion) and then sepa- rately broke each model to firstly restore the diffusion key P (i, j) = Bp8 Bp7 Bp6 Bp5 Bp4 Bp3 Bp2 Bp1 (1) stream and secondly recover the permutation sequence. Moreover, to prove the feasibility of the proposed model, where P (i, j) is the pixel value at coordinate (i, j) and they successfully attacked the cipher presented in [45]. th Bpk ∈ {0, 1} is the k bit of the pixel. Thus, eight dif- Liu et al. [20] proposed a cryptosystem that handles the ferent binary images can be obtained by collecting the kth plainimage at bit-level. Firstly, the image pixels are per- bit from each pixel. The kth binary image represents the muted by a random chaotic sequence generated from the kth bit-plane of the original gray-image. Figure 1 depicts improved Logistic map. Secondly, the permuted image the different 8 bit-planes for the Pirate plainimage. It is is decomposed into eight bit-planes and the lower four noticed that, based on the location of the bit in the image bits are fed to the improved Logistic map to create a key pixel, it weighted by 2k to introduce a different amount stream related to the plainimage. Thirdly, the key stream of information for that pixel [28]. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 50

W X

Pirate image BP1 BP2

Iteration Iteration (a) (b) Y Z

BP3 BP4 BP5

Iteration Iteration (c) (d) (a) parameter W of SSM. (b) parameter X, (c) parameter Y, and (d) parameter Z of the ILM.

BP6 BP7 BP8 Figure 2: Chaotic behavior of the SSM and ILM Figure 1: Bit-planes decomposition of Pirate plainimage

where the operation (r mod 1) returns the fractional part 2.2 The Employed Chaotic Maps of the real number r by subtracting or adding an appropri- ate integer number, for example, (12.1234 mod 1) yields Due to their simple structure and good chaotic properties, 0.1234 by subtracting the integer value 12, while (-12.1234 the classical chaotic maps such as Chebyshev map, Logis- mod 1) returns 0.8766 by adding the integer value 13. tic map, Sine map, and Tent map, etc., have been com- Moreover, with the conditions of 0 < u ≤ 3.999, |K | > monly employed in designing image cryptosystems. How- 1 33.5, |K | > 37.9, and |K | > 35.7, the map has brilliant ever, several weaknesses related to such maps (for exam- 2 3 chaotic features, and all weaknesses associated to simple ple, its limited chaotic range, blank windows, and uneven maps are completely resolved. Additionally, the secret key distribution of generated values, weak keys, etc.) degrade is greatly expanded. Figure 2b, Figure 2c and Figure 2d the performance of the encryption algorithm. Thus, to depict the behavior of the intertwining map. mitigate such flaws, Sine-Sine map (SSM) is designed in [24] and an intertwining Logistic map (ILM) is pre- Pak and Huang [24] and Sam et al. [27] studied the sented in [27]. chaotic performance of the SSM and the ILM, respec- The Sine-Sine map (SSM) is described by Equa- tively, and demonstrated the good features of these maps. tion (2): Both maps can solve the defects associated with the sim- ple maps, which are mentioned above. Actually, the SSM 14 Wi = u1 × sin(π × Wi−1) × 2 − and the ILM present several advantages to the proposed (2) 14 cipher including: 1) Their chaotic sequences are uniformly floor(u1 × sin(π × Wi−1) × 2 ), i = 1, 2,... distributed within the interval [0, 1] and effectively occu- where u1 ∈ (0, 10] and W0 denote the control parameter pied the entire data range. 2) Both maps have a wide and the initial value of the system, respectively. Figure 2a chaotic range, as demonstrated in [24, 27] by investigat- shows the outstanding chaotic behavior of the SSM which ing the Lyapunov exponent of the maps. That is, the reveals the wide range of chaotic system without any of Lyapunov exponent of these maps is always positive in the aforementioned flaws. the entire range of the control parameters, which indi- Further, the 3D intertwining Logistic map (ILM) is cates the good chaotic behavior. Further, this wide range defined by Equation (3): of the control parameters extends the key space of the cryptosystem. 3) the cascading of these maps together X = (u × K × Y × (1 − X ) + Z ) mod 1 i 1 i−1 i−1 i−1 in our design reduces the dynamic degradation problems Zi−1 related to simple chaotic maps under the finite precision Yi = (u × K2 × Yi−1 + 2 ) mod 1 (3) (1 + Xi ) implementation and also enlarges the key space of the Zi = (u × (X1 + Yi + K3) × sin(Zi−1)) mod 1 suggested scheme. Accordingly, these two chaotic sys- International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 51

Plainimage Initial secret seeds to the specific position (weights) of the bits in the original image pixels as depicted in Section 2.1. s

Decompose e Step 2: Iterate the intertwining Logistic map, given in Intertwining m i

into 8 bit- t

chaotic map

planes α Equation (3), α times using the initial values of its parameters u, K1, K2, K3, X0, Y0, and Z0.

Selection Bp1 This step generates three random values Xα, Yα, and Bp2 mechanism SP Compute Xα : to obtain selection Yα Zα that carry the features of the chaotic map such as . two groups parameter SP Zα Bp 8 of bit-planes Initial parameter ergodicity, random like behavior, and high sensitivity

SP SP G1 G2 to initial control parameters. Additionally, the initial All b1 Bpi values of the map parameters (u, K , K , K , X , Bpk Generate two 1 2 3 0 Bp Sine-Sine Map b2 j k≠ i random bits k≠ j Y0, and Z0) are used as a part of the secret key of Initial parameter the cipher. Accordingly, they contribute in extending

F1 F2 the key-space of the suggested cipher to withstand

Sine-Sine Map the brute force attacks. dk1 + Step 3: Obtain temporary secret bits b1 and b2 according dk + 2 to Equation (4) and Equation (5), respectively. ( C1 C2 1 if Xα ≥ 0.5 b1 = (4) 0 otherwise Merge ( 1 if Yα ≥ 0.5 Cipherimage b2 = (5) 0 otherwise Figure 3: Architecture of the suggested cipher where Xα, and Yα are the current states of ILM system. Equation (4) and Equation (5) state that the two tems will be exploited here for building an efficient image values b1 and b2 are chaotically generated based on cryptosystem that uses the control parameters and initial the intertwining Logistic map outputs Xα and Yα values of both maps as a secret encryption key. and they are highly correlated to the initial secret parameters of the map. Thus, slightly different initial parameters will produce different random bits for b1 3 Suggested Image Cryptosystem and b2. Accordingly, the proposed cipher has a high sensitivity to tiny changes of secret key. 3.1 The Encryption Algorithm Step 4: Quantize the value of the obtained chaotic states Xα, Yα, and Zα to get the selection parameter SP This section depicts the framework of the suggested im- according to Equation (6). age cryptosystem in details. Firstly, the input plainimage 14 is decomposed into 8 bit-planes. Afterward, two groups SP = ((Xα + Yα + Zα) × 10 ) mod 4 (6) of bit-planes are chaotically selected at each pixel. One group is encrypted based on the information contained in Equation (6) demonstrates that the selection param- the other group. Secondly, the second group is chaoti- eter SP is also related to the outputs of the intertwin- cally encrypted and then merged with the first group to ing Logistic map so it depends on the secret key of the obtain the ciphered pixel. Meanwhile, the parameters of cipher. In addition, it is clear that SP ∈ {0, 1, 2, 3} to constitute four different combinations that deter- the employed chaotic system are adapted at each encryp- SP SP tion step based on the encrypted image information to mine the form of two bit groups G1 and G2 as yield different chaotic sequences for different plainimages. described in Step 5. Figure 3 illustrates the proposed architecture of the sug- Step 5: Split the set of image bit-planes into two groups gested cipher. Specifically, the encryption process of the SP G1 that contains two bit-planes (BPi and BPj) and suggested cryptosystem can be depicted as follows: SP G2 that includes the remaining bit-planes (BPk  k 6= i and k 6= j) according to Equation (7) and Step 1: Decompose the input plainimage P into 8 bit- Equation (8), respectively. planes BP , BP , ... , and BP as illustrated in 1 2 8  Equation (1). [BP1,BP2] if SP = 0  [BP ,BP ] if SP = 1 Therefore, in this step each bit-plane BP represents SP 3 4 i G1 = (7) a binary image that contains a certain amount of [BP5,BP6] if SP = 2  plainimage information. This amount is proportional [BP7,BP8] if SP = 3 International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 52

 [BP3,BP4,BP5,BP6,BP7,BP8] if SP = 0 parameter u2, which is a part of the secret key ac-  SP [BP1,BP2,BP5,BP6,BP7,BP8] if SP = 1 cording to Equation (14). G2 = [BP1,BP2,BP3,BP4,BP7,BP8] if SP = 2 14 6  dk2 = (round(WN × 10 )) mod 2 (14) [BP1,BP2,BP3,BP4,BP5,BP6] if SP = 3 (8) Note that the modulus in Equation (14) equals 26 since the second group is composed of 6 bits that Step 6: Iterate the Sin-Sin map, given in Equation (2), represents a value ranging from 0 to 63. T times using the initial parameter W0, computed Step 9: Encrypt the second group GSP according to according to Equation (9), and control parameter u1 2 which is a part of the secret key. Equation (15). SP 8 C2 = F2(G2 ) ⊕ dk2 (15) X −i W0 = ( Vi × 2 + Xα + Yα) mod 1 (9) SP where F2(G2 ) is computed according to Equa- i=1 tion (16).

where V is the vector composed from concatenating 6 SP X SP i−1 the two generated bits (b1 and b2) and the bits of the F2(G2 ) = G2 (i) × 2 (16) SP second bit pattern G2 obtained by Equation (8). i=1 Namely, V can be expressed as follows: Step 10: Obtain the cipher pixel by merging C1 and C2. SP The merge operation can be depicted as follows: V = [b1, b2,G2 ] (10) Step 10.1: Convert C and C into two-bit and six- SP 1 2 where G2 is defined in Equation (8). bit values, respectively; and flip them to ob- 0 0 Equation (9) computes the initial value of the Sin- tain C1 and C2 according to Equation (17) and Sin map based on the current output of the inter- Equation (18), respectively. twining Logistic map in addition to the plainimage 0 information contained in the second selected group C1 = F lip(dec2bin(C1, 2)) (17) SP G2 along with the random bits b1 and b2. That is, 0 C2 = F lip(dec2bin(C2, 6)) (18) the final generated value WT of the Sin-Sin map is strongly related to the plainimage information and where dec2bin(x, n) converts x into a binary the secret key. Accordingly, this step makes the pro- value of length n and F lip(x) is employed to posed cipher a self-adaptive algorithm that employs read the input bit pattern in a reverse order the information extracted from a selected group of from right to left. 0 0 image bits to encrypt the other group. Step 10.2: Concatenate C1 and C2 to obtain 8-bit SP length value and transform it to decimal value Step 7: Encrypt the first group G1 according to Equa- C. tion (11). 0 0 SP C = bin2dec(C1||C2)) (19) C1 = F1(G1 ) ⊕ dk1 (11) Step 11: Update the initial parameters of the intertwin- SP where F1(G1 ) and the diffusion key dk1 are com- ing Logistic map to be used in the next encryption puted according to Equation (12) and Equation (13), according to Equation (20). respectively. C 2 X0 = (Xα + ) mod 1 SP X SP i−1 255 F1(G1 ) = G1 (i) × 2 (12) C i=1 Y = (Y + ) mod 1 (20) 0 α 255 14 C dk1 = ((round(WT × 10 )) mod 257) mod 4 (13) Z = (Z + ) mod 1 0 α 255 Equation (11) masks the plainimage information of SP Equation (20) adjusts the parameters of the in- the group G by the diffusion key dk1 which is 1 tertwining Logistic map based on the previous en- chaotically computed based on WT as stated by Equation (13). Accordingly, the diffusion key is also crypted pixel to make all generated chaotic values, related to the plainimage. That is, different plain- the random bits (b1, b2), and the diffusion keys (dkey1 images will have different diffusion keys and hence, and dkey2) for all subsequent pixels dependent on the proposed cipher can resist the chosen plain- the plainimage information. Thus, this step also in- text/ciphertext attacks. troduces a self-adaptive mechanism to the proposed cipher to ensure a high resistance against different Step 8: Compute a diffusion key dk2 by iterating the Sin- types of attacks. In addition, this adaptation re- Sin map, in Equation (2), N times using the initial sults in a different chaotic behavior of the employed parameter Zα, obtained in Step 2, and the control chaotic maps. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 53

Step 12: Repeat the steps from 2 to 11 to encrypt all of the deployed chaotic maps are dynamically adjusted image pixels. based on the encrypted information. That is, the chaotic On the other hand, for the decryption operation, the behavior of the maps is affected by the input plainimage. recipient can decrypt the cipherimage and correctly Also, this adjustment of the parameters makes the gener- recover the plainimage by applying the same steps ated random bits (b1 and b2) and the diffusion keys (dkey1 of the encryption process in a reverse order using the and dkey2) strongly related to the plainimage. Thus, correct initial secret values. Also, all adjusted chaotic different plainimages will have different encryption key parameters related to the ciphered pixels can be com- streams and hence the scheme can counter any type of puted during the decryption by the same method em- attacks. Finally, the merge operation presented in step ployed in the encryption procedure. 10 involves a permutation process (simple reverse opera- tion of bits) to increase the confusion/diffusion features of the suggested cipher. Accordingly, the proposed cryp- 3.2 Design Considerations for the Pro- tosystem can be effectively utilized for image encryption posed Cipher applications as demonstrated by the conducted experi- The proposed method is a bit-level encryption that de- ments presented in Section 4 and Section 5. composes the plainimage into 8 bit-planes and then di- vides them into two groups of two bits and six bits, respec- tively. The motivations for this particular decomposition 4 Experimental Results include: 1) to assign a different amount of plainimage information to each group. Indeed, this decomposition In this section, a variety of experimental tests are pre- may assign variant weights to the bits of each group as sented to demonstrate the efficiency of the suggested cryp- depicted in Equation (12) and Equation (16). 2) Since tosystem. In addition, to judge the encryption quality of the first group is encrypted based on the information of the proposed cipher, we numerically compare its results the second group, we put most of the plainimage bits on with the schemes of Xu et al. [40], Cao et al. [2], Zhang the second group to make the generated key stream more and Wang [46], Wang et al. [34], and Liu et al. [20]. In related to the plainimage data. 3) The most important our experimental results, several images are evaluated. point is that this particular decomposition can be sim- These image, shown in Figure 4, are Lena, Airplane, Pi- ply extended to DNA representation. Particularly, DNA rate, Lake, and TestPat. Specifically, to numerically eval- computing uses only 2-bit to encode the data in DNA uate the encryption quality of these cryptosystems, three representation. Indeed, the future work will focus on this estimation criteria are used. These criteria are the mean extension to combine DNA computing and hyperchaotic square error (MSE), peak signal to noise ratio (PSNR), systems for designing a new image cryptosystem. More- and structural similarity index metric (SSIM) which can over, the suggested architecture is simple and flexible so be computed by Equation (21), Equation (22), and Equa- it can be adapted to work on two or more groups of bit- tion (23), respectively [27, 35, 38]. planes. Each group may contain any number of bits. For M N  2 example, the algorithm can be slightly modified to handle 1 X X MSE = M×N P (r, s) − C(r, s) (21) two groups with an equal number of bits. The first group r=1 s=1 may contain the most significant 4 bits of the pixel and the second group includes the least significant 4 bits of where P , C, M, and N are the plainimage, its correspond- the pixel. ing cipherimage, the height, and the width of the image, The suggested cryptosystem employs multi chaotic sys- respectively. tems cascading together to mitigate the dynamic degra- 2 dation of a single chaotic system under the finite pre- 255 PSNR = 10 log10( MSE ) (22) cision computation. Namely, the algorithm utilizes three chaotic maps including intertwining Logistic map and two

2µP µC +ε1 2σPC +ε2 Sin-Sin maps. The good chaotic behavior of these maps SSIM = (23) 2 2
2 2
guarantees a better performance of the suggested cipher. µP +µC +ε1 σP +σC +ε2 Further, employing several chaotic maps extends the key- space of the algorithm. Specifically, nine parameters of where µP and µC are the mean for the images P and C, 2 2 the employed maps represent the secret key of the scheme, respectively. σP , σC , and σPC represent the variance of which make the key-space very large to resist exhaustive P , the variance of C, and the covariance between P and search attack. C, respectively. Finally, ε1 and ε2 denote two predefined Moreover, the scheme applies a self-adaptive encryp- quantities. tion mechanism that exploits the features of the bit group An interesting experiment that demonstrates the ca- SP SP G2 to encrypt the first group G1 to satisfy a depen- pability of the suggested cipher to hide plainimage pat- dency on the input plainimage. This dependency assures terns is displayed in Figure 4 in which the encryption that the proposed cipher can withstand the chosen plain- and decryption results associated to the five plainimages image/cipherimage attacks. In addition, the parameters are depicted. Obviously, the suggested method conceals International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 54

a) Lena plainimage b) Lena cipherimage c ) Lena recovered image a) Female plainimage b) Female cipherimage c) Female recovered image

d) Airplane plainimage e) Airplane cipherimage f) Airplane recovered image d) Tiger plainimage e) Tiger cipherimage f) Tiger recovered image

Figure 5: Feasibility of the suggested cryptosystem for color images

g) Pirate plainimage h) Pirate cipherimage i) Pirate recovered image Table 1: Numerical evaluation based on MSE criterion Image [40] [2] [46] [34] [20] Ours Lena 8650.1 8697.3 8756 8691.5 8752.5 8767.7 Airplane 10120 10115 10123 10128 10130 10132 Pirate 7875.4 7844.1 7869.4 7880 7863.4 7889.3 Lake 9694.4 9672.7 9688.9 9632.4 9681.2 9699.6 TestPat 9753.3 9751.1 9693.9 9728.7 9747.4 9774.3 Average 9218.64 9216.04 9226.24 9212.12 9234.9 9252.58

j) Lake plainimage k) Lake cipherimage l) Lake recovered image ure 5 and the related numerical values are depicted in Table 4. The results of this experiment demonstrate that the proposed cipher is also very effective in encrypting the color images.

Table 2: Numerical evaluation based on PSNR criterion m) TestPat plainimage n) TestPat cipherimage o) TestPat recovered image Image [40] [2] [46] [34] [20] Ours Lena 8.7606 8.7369 8.7078 8.7399 8.7095 8.7019 Figure 4: Encryption and decryption of the suggested Airplane 8.0790 8.0811 8.0778 8.0755 8.0747 8.0740 image cryptosystem Pirate 9.1681 9.1853 9.1714 9.1655 9.1747 9.1604 Lake 8.2656 8.2753 8.2681 8.2934 8.2715 8.2633 TestPat 8.2393 8.2403 8.2658 8.2502 8.2419 8.2299 Average 8.5025 8.5038 8.4982 8.5049 8.4945 8.4859 all structures of the plainimages where the encrypted im- ages are notably different from their corresponding origi- nal images, namely, the regular visual information of the Table 3: Numerical evaluation based on SSIM criterion plainimages can not be perceived in the ciphered images. Image [40] [2] [46] [34] [20] Ours Computationally, the obtained values of MSE, PSNR, Lena 0.0113 0.0057 0.0050 0.0093 0.0056 0.0022 and SSIM related to the proposed cipher, Xu et al. [40], Airplane 0.0041 0.0077 0.0071 0.0098 0.0074 0.0108 Cao et al. [2], Zhang and Wang [46], Wang et al. [34], and Pirate 0.0064 0.0183 0.0072 0.0025 0.0075 0.0093 Liu et al. [20] are shown in Table 1, Table 2 and Table 3, Lake 0.0085 0.0051 0.0056 0.0123 0.0064 0.0063 respectively. The results reflect that there is a negligible TestPat 0.0016 0.0063 0.0083 0.0083 0.0077 0.0028 Average 0.0064 0.0086 0.0066 0.0084 0.0069 0.0063 relation between the plainimages and their corresponding ciphered images. Further, it is clear that the suggested ci- pher outperforms the schemes presented in [2,20,34,40,46] because it yields the largest average value for MSE and 5 Security Analysis the smallest average value of PSNR, and SSIM. Another example that confirms the feasibility of the A secure image cryptosystem must thwart all forms of at- suggested cryptosystem for color images is shown in Fig- tacks, including ciphertext-only attack, known plaintext International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 55

Table 4: Numerical evaluation of the proposed cipher for color images Femal Tiger Images MSE PSNR SSIM MSE PSNR SSIM Red 10075 8.0984 0.0004 10093 8.0906 0.0019

Green 12892 7.0277 0.0090 7969.9 9.1163 0.0061 a) Lena plainimage b) Lena cipherimage: E1 c) Lena cipherimage: E2 d) Difference image: D (E1, E2) Blue 13487 6.8315 0.0048 8691.1 8.7401 0.0006 Average 12151.33 7.3192 0.0047 8918 8.649 0.0029 attack, brute force attack, and statistical attack [17, 21,

22]. Herein, the security tests on the proposed scheme are e) Airplane plainimage f) Airplane cipherimage: E1 g) Airplane cipherimage: E2 h) Difference image: D (E1, E2) thoroughly performed. These tests include the key space test, key sensitivity test, statistical test and plaintext sen- sitivity test(differential attack). Different tests attest that the suggested cipher provides a reasonable security level. In our experiments, the plainimages of Lena, Airplane, Pirate, Lake, and TestPat shown in Figure 4 have been i) Pirate plainimage j) Pirate cipherimage: E1 k) Pirate cipherimage: E2 l) Difference image: D (E1, E2) investigated and the simulated results are displayed for illustration. Moreover, according to the structure of the suggested cipher which correlates the chaotic parameters with the plainimage/cipherimage, the cipher is strongly immune to ciphertext-only, chosen plaintext, and known m) Lake plainimage n) Lake cipherimage: E1 o) Lake cipherimage: E2 p) Difference image: D (E1, E2) plaintext attacks.

5.1 Key Space Analysis An essential property for a secure image cipher is the high sensitivity to the cipher keys. Further, to defend against q) TestPat plainimage r) TestPat cipherimage: E1 s) TestPat cipherimage: E2 t) Difference image: D (E1, E2) brute force attacks, the key space of the cipher must be sufficiently large [1, 24, 25]. The key space test on the Figure 6: Results of key sensitivity for the suggested cryp- proposed cryptosystem is carried out and the results are tosystem summarized here.

Key space: The suggested cipher, as previously stated, uses the control parameters and initial conditions of to get a closely related key (key ) and the same the intertwining Logistic map and Sine-Sine map as a 2 plainimage P is encrypted again to get the ci- secret key. So, the secret key includes the parameters phered image E2; (u, K1,K2,K3, X, Y, Z, u1, and u2). Accordingly, the proposed cipher has 10135 > 2115 of different possible 3) Finally, the difference between the two enci- combinations of secret keys for a double-precision im- phered images E1 and E2 is evaluated. plementation. Thus, a cryptosystem with such large key space is reliable for image security applications and also can effectively defy the brute force attack. Figure 6 illustrates the original plainimages, the two cipherimages obtained in the aforementioned steps, and Key sensitivity test: An attractive property of an the difference image D(E1,E2), for each image, respec- ideal cryptosystem is its sensitivity to the secret key, tively. Notably, the difference images shown in Figure 6 namely, a minor modification in the secret key pa- confirm that the associated two cipherimages are totally rameters (changing only one bit of the encryption distinct. key) must result in an entirely different ciphered im- Furthermore, to computationally measure the differ- age. To check the key sensitivity of the suggested ence between the two enciphered images E1 and E2, the cryptosystem, the subsequent steps are performed: correlation coefficient (CC), the number of pixels change rate (NPCR) and the unified average changing intensity 1) The secret key (key that contains the set of 1 (UACI) are computed. The CC, NPCR, and UACI initial values of chaotic maps used) is employed measures are depicted in Equation (24), Equation (25), to encrypt the plainimage P and the resulted and Equation (26), respectively [10, 44, 46]. encrypted image is denoted as E1;

2) The secret key (key1) is slightly modified, by CC = E(Z√−E(Z))(√w−E(w)) (24) changing only one bit of one secret parameter, D(z) D(w) International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 56 where though there is only a single bit change between the keys used for encryption and decryption. Thus, the suggested N N X 1 X D(z) = 1 (z − E(z))2 and E(z) = z scheme is extremely sensitive to encryption key. N i N i i=1 i=1

M N X X D(i, j) i=1 j=1 NPCR = M×N × 100% (25) where ( 0 if E (i, j) = E (i, j) D(i, j) = 1 2

1 otherwise a) Lena plainimage b) Lena cipherimage: E1 c )Lena recovered-image :RI

M N !! X X |E1(i, j) − E2(i, j)| UACI = 1 × 100% (26) M×N 255 i=1 j=1 The results of the key sensitivity test in terms of NPCR, UACI, and CC are displayed in Table 5, Table 6, and Ta- ble 7, respectively. The obtained values denote that there f )Airplane recovered-image :RI is a negligible correlation and a considerable difference d) Airplane plainimage e) Airplane cipherimage: E1 among the enciphered images although they are gener- ated by slightly different encryption keys. For instance, the enciphered image of Lena using key1 has 99.62% (on average) of difference from the image enciphered using key2 in terms of the pixel gray values, even though there is a single bit change between the two encryption keys. h) Pirate cipherimage: E i )Pirate recovered-image :RI Note that, the first row of the tables specifies the modi- g) Pirate plainimage 1 fied parameter of key1 to obtain key2.

Table 5: Key sensitivity of the suggested method based on NPCR Image X1 X2 X3 K1 K2 K3 U U1 U2 Average Lena 99.60 99.64 99.66 99.61 99.62 99.60 99.62 99.63 99.62 99.62

Airplane 99.62 99.61 99.60 99.61 99.59 99.62 99.59 99.58 99.60 99.60 j) Lake plainimage k) Lake cipherimage: E1 l )Lake recovered-image :RI Pirate 99.62 99.59 99.62 99.61 99.63 99.63 99.63 99.64 99.60 99.62 Lake 99.59 99.60 99.63 99.63 99.59 99.60 99.60 99.61 99.63 99.61 TestPat 99.64 99.62 99.65 99.65 99.64 99.64 99.61 99.63 99.60 99.63 Average 99.61 99.61 99.63 99.62 99.61 99.62 99.61 99.62 99.61

Table 6: Key sensitivity of the suggested method based on

UACI m) TestPat plainimage n) TestPat cipherimage: E1 o )TestPat recovered-image :RI Image X1 X2 X3 K1 K2 K3 U U1 U2 Average Lena 33.50 33.47 33.53 33.51 33.55 33.56 33.49 33.62 33.48 33.52 Airplane 33.49 33.49 33.47 33.46 33.53 33.45 33.49 33.53 33.50 33.49 Figure 7: Key sensitivity of the proposed cryptosystem Pirate 33.44 33.49 33.44 33.48 33.47 33.49 33.48 33.48 33.49 33.47 Lake 33.41 33.46 33.49 33.51 33.48 33.52 33.62 33.50 33.49 33.50 based on wrong decryption key TestPat 33.47 33.51 33.54 33.49 33.60 33.52 33.60 33.50 33.51 33.53 Average 33.46 33.48 33.49 33.49 33.53 33.51 33.54 33.53 33.49

Table 7: Key sensitivity of the suggested method based on CC 5.2 Statistical Analysis Image X1 X2 X3 K1 K2 K3 U U1 U2 Average Lena 0.0024 0.0035 0.0029 0.0025 0.0089 0.0012 0.0013 0.0065 0.0004 0.0033 Airplane 0.0015 0.0003 0.0040 0.0004 0.0043 0.0015 0.0001 0.0036 0.0034 0.0021 Pirate 0.0026 0.0005 0.0016 0.0001 0.0025 0.0008 0.0020 0.0045 0.0053 0.0022 By analyzing the histogram of the encrypted images and Lake 0.0051 0.0006 0.0030 0.0019 0.0016 0.0027 0.0090 0.0022 0.0012 0.0030 the adjacent ciphered pixels correlations, we can judge TestPat 0.0008 0.0016 0.0001 0.0010 0.0048 0.0015 0.0044 0.0023 0.0004 0.0019 Average 0.0025 0.0013 0.0023 0.0012 0.0044 0.0015 0.0034 0.0038 0.0021 the strength of the suggested cipher to statistical analy- sis attacks. Accordingly, these tests are applied on the Furthermore, when the decryption key is slightly mod- proposed scheme and the obtained results reveal the su- ified (trivially different from the encryption key), the re- perior resistance of our cipher against statistical attacks covering of the plainimage also absolutely fails. Figure 7 compared to the related ciphers [2, 20, 34, 40, 46]. The indicates that the image enciphered by key1 (image E1) tests are thoroughly described in the subsequent two sub- is not properly recovered using key2 (image RI), even sections. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 57

5.2.1 Histograms of Encrypted Images always yields a smaller value than the expected value of Chi-square test (293 for a significant level 0.05) which is a First, an original image of 256 gray levels of size M ×N is good indicator to the uniformity of histograms of the un- encrypted and the histograms of both images (the plain- derlying cipherimages. Additionally, the Chi-square test image and its encryption) are then calculated. The set demonstrates that the suggested cipher outperforms the of five plainimages and their encryption are investigated underlying ciphers offered in [2, 20, 34, 40, 46] because it for this test. The experiment yields the histograms illus- results in the smallest average Chi-square value. trated in Figure 8. H−1 X (O(s) − E(s))2 χ2 = (27) test E(s) s=0

where H, O(s), and E(s) denote the number of image gray levels, the actual and expected occurrences of each

a) Lena plainimage b) Lena plainimage histogram c) Lena cipherimage d )Lena cipherimage histogram gray level, respectively.

Table 8: Chi-square test of the proposed cipher and related current schemes Image [40] [2] [46] [34] [20] Ours Lena 273.81 232.01 343.94 257.96 308.73 231.81 e) Airplane plainimage f) Airplane plainimage histogram g) Airplane cipherimage h) Airplane cipherimage histogram Airplane 244.27 253.30 287.93 275.51 405.94 268.50 Pirate 247.63 274.29 239.95 250.25 675.48 222.20 Lake 266.38 255.93 257.91 278.34 281.80 225.69 TestPat 277.84 272.17 252.71 265.77 50273 228.23 Average 261.99 257.54 276.49 265.57 10388.99 235.29

i) Pirate plainimage j) Pirate plainimage histogram k) Pirate cipherimage l) Pirate cipherimage histogram

5.2.2 Correlation of Two Adjacent Pixels To analyze the correlation of neighboring pixels in the plainimage and the enciphered one, the subsequent steps are performed [3,24]. First, randomly choose a set of pairs m) Lake plainimage n )Lake plainimage histogram o) Lake cipherimage p) Lake cipherimage histogram of two adjacent pixels from the underlying image along the horizontal (H), the vertical (V ), and the diagonal (D) di- rections. Afterward, estimate the correlation coefficient (CC) between these pairs in each direction. Accordingly, the correlation results for the adjacent pixels in these di-

q) TestPat plainimage r) TestPat plainimage histogram s) TestPat cipherimage t) TestPat cipherimage histogram rections for the encrypted images shown in Figure 4 are examined and compared with the values associated with Figure 8: Histogram analysis of the suggested image ci- the ciphers presented in [2, 20, 34, 40, 46]. The results are pher depicted in Table 9, Table 10, and Table 11. It is obvious that all correlations tend to zero and the proposed cryp- tosystem produces the smallest average correlation in all Clearly, the histograms of the encrypted images are ap- directions compared to the other schemes. proximately uniform and are notably distinct from that of the corresponding plainimages. Further, it proves that the suggested cryptosystem has complicated the depen- Table 9: The correlation of neighboring pixels in H direc- dence of the cipherimages statistics on the plainimages tion Image [40] [2] [46] [34] [20] Ours statistics and has succeeded in concealing all characters Lena 0.0069 0.0362 0.0158 0.0156 0.0241 0.0012 of the plainimages. Furthermore, to statistically demon- Airplane 0.0344 0.0207 0.0213 0.0040 0.0156 0.0100 strate the histogram uniformity of the cipherimages, the Pirate 0.0244 0.0063 0.0051 0.0057 0.0074 0.0070 Chi-square test is performed on each cipherimage of the Lake 0.0306 0.0027 0.0110 0.0196 0.0113 0.0042 five plainimages in Figure 4. The Chi-square value can TestPat 0.0053 0.0153 0.0214 0.0201 0.0243 0.00045 be computed according to Equation (27) [3, 10]. Table 8 Average 0.0203 0.0162 0.0149 0.013 0.0165 0.00457 illustrates the results produced by applying Chi-square test with a significant level 0.05 on the cipherimages ob- Furthermore, Figure 9 represents the distribution of tained from the proposed cipher, Xu et al. [40], Cao et two neighboring pixels in horizontal direction (the same al. [2], Zhang and Wang [46], Wang et al. [34], and Liu results can be gained for diagonal and vertical adjacent et al. [20] ciphers. Notably, the proposed cryptosystem pairs) for the five plainimages and their enciphered images International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 58 ) ) y y , , 1 1 + + x x ( (

Table 10: The correlation of neighboring pixels in V di- n n o o i i t t a a c c

rection o o l l

n n o o

Image [40] [2] [46] [34] [20] Ours e e u u l l a a v v

Lena 0.0103 0.0087 0.0115 0.0044 0.0042 0.0023 y y a a r r g g

l l e e x x

Airplane 0.0057 0.0061 0.0072 0.0027 0.0063 0.0059 i i P P Pirate 0.0096 0.0045 0.0147 0.0022 0.0164 0.0073 a) Lena plainimage Pixel gray value on location (x, y) Pixel gray value on location (x, y) Lake 0.0079 0.0120 0.0145 0.0276 0.0118 0.0034 b) Distribution of Lena plainimage c) Distribution of Lena cipherimage ) ) TestPat 0.0297 0.0056 0.0051 0.0048 0.0228 0.0169 y , y , 1 1 + + x ( x

Average 0.0126 0.0074 0.0106 0.0083 0.0123 0.0072 (

n n o i o t i t a a c c o l o

l

n n o

o

e e u l u l a a v

v

y y a r a r g

g l

l e e x

Table 11: The correlation of neighboring pixels in D di- i x i P

P rection d) Airplane plainimage Pixel gray value on location (x, y) Pixel gray value on location (x, y)

Image [40] [2] [46] [34] [20] Ours e) Distribution of Airplane plainimage f) Distribution of Airplane cipherimage

Lena 0.0149 0.0107 0.0240 0.0083 0.0064 0.00025 ) ) y y , , 1 1 + +

Airplane 0.0022 0.0128 0.0161 0.0209 0.0077 0.0060 x x ( (

n n o o i i t t

Pirate 0.0054 0.0077 0.0135 0.0453 0.0094 0.0182 a a c c o o l l

n n o o

Lake 0.0073 0.0209 0.0087 0.0227 0.0241 0.0099 e e u u l l a a v v

TestPat 0.0136 0.0101 0.0069 0.0240 0.0253 0.0027 y y a a r r g g

l l

Average 0.0087 0.0124 0.0138 0.0242 0.0146 0.00741 e e x x i i P P

g) Pirate plainimage Pixel gray value on location (x, y) Pixel gray value on location (x, y) h) Distribution of Pirate plainimage i) Distribution of Pirate cipherimage ) ) y y , , 1 1 + + x

shown in Figure 4. Consequently, the obtained results at- x ( (

n n o o i i t t a a test that the suggested cryptosystem can remove the tight c c o o l l

n n o o

e correlation between neighboring pixels of the plainimage. e u u l l a a v v

y y a a r r g g

l l e e x x i i P P

j) Lake plainimage Pixel gray value on location (x, y) Pixel gray value on location (x, y) 5.3 Differential Attacks k) Distribution of Lake plainimage l ) Distribution of Lake cipherimage ) ) y y , , 1 1 + + x x ( (

n n o o i i t t a a

Differential attack is an effective methodology to crack c c o o l l

n n o o

the cipher by comparing the encryption results of slightly e e u u l l a a v v

y y a a

different plainimages. So, a desirable feature of a good r r g g

l l e e x x i i cipher is its sensitive to slight changes (only one bit mod- P P

ification) of the plainimage. To assess the effect of alter- m) TestPat plainimage Pixel gray value on location (x, y) Pixel gray value on location (x, y) ing only one pixel of the plainimage on the obtained en- n) Distribution of TestPat plainimage o) Distribution of TestPat cipherimage cryption from the proposed scheme, the CC, NPCR and UACI criteria can be exploited [3, 44, 46]. This experi- Figure 9: Neighboring pixels correlation analysis of the suggested image cipher ment assumes that I1 and I2 be two identical plainimages except for only one pixel and the corresponding encrypted images are denoted by E1 and E2. Afterward, the values of CC, NPCR and UACI for E1 and E2 are calculated. Table 12: Plaintext sensitivity of the suggested cipher Several tests are carried out on the proposed cipher to Image CC NPCR(%) UACI(%) reveal the effect of modifying a single pixel of an image Lena 0.0055 99.6155 33.5859 of 256 gray levels. The obtained values are presented in Airplane 0.0020 99.6207 33.5433 Table 12 and shown in Figure 10. Particularly, the aver- Pirate 0.0051 99.6445 33.4911 age NPCR is evaluated to be over 99.62% (the expected Lake 0.0053 99.6170 33.6044 value of NPCR for two randomly generated images is TestPat 0.00046 99.6414 33.5238 99.60% [10] which in turn confirms that the suggested Average 0.00367 99.6278 33.5497 cipher is extremely sensitive to insignificant variations of the original plainimage. Moreover, UACI is estimated to be over 33.54% (the expected value of UACI for two ran- 6 Conclusions domly generated images is 33.46% [10] showing thereby that the rate of influence based on a single pixel modifi- In this paper, a novel selective bit-level image cryptosys- cation is particularly large. Also, there is a negligible CC tem based on self-adaptive encryption has been suggested. value between E1 and E2. Briefly, the obtained values for The self-adaptive encryption employs the information ex- CC, NPCR and UACI demonstrate that the suggested tracted from a selected group of image bit-planes to make cipher can effectively withstand the differential attacks. the encryption result related directly to the plainimage. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 59

[2] C. Cao, K. Sun, and W. Liu, “A novel bit-level image encryption algorithm based on 2d-licm hyperchaotic map,” Signal Processing, vol. 143, pp. 122–133, 2018. [3] J. Chen, Z. Zhu, C. Fu, H. Yu, and Y. Zhang, “Reusing the permutation matrix dynamically for

a) Lena plainimage b) Lena cipherimage: E1 c) Lena cipherimage: E2 d) Difference-image of b) and c) efcient image cryptographic algorithm,” Signal Pro- cessing, vol. 111, pp. 294–307, 2015. [4] A. Diaconu, “Circular inter-intra pixels bit-level per- mutation and chaos-based image encryption,” Infor- mation Sciences, vol. 355-356, pp. 314–327, 2015. [5] C. Fu, B. B. Lin, Y. S. Miao, X. Liu, and J. J. Chen, e) Airplane plainimage f) Airplane cipherimage: E1 g) Airplane cipherimage: E2 h) Difference-image of f) and g) “A novel chaos-based bit-level permutation scheme for digital image encryption,” Optics Communica- tions, vol. 284, no. 23, pp. 5415–5423, 2011. [6] C. Fu, W. H. Meng, Y. F. Zhan, Z. L Zhu, F. C. M. Lau, C. K. Tse, and H. F Ma, “An efficient and secure medical image protection scheme based on chaotic i) Pirate plainimage j) Pirate cipherimage: E1 k) Pirate cipherimage: E2 l) Difference-image of j) and k) maps,” Computers in Biology and Medicine, vol. 43, no. 8, pp. 1000–1010, 2013. [7] X. He, Q. Zhu, , and P. Gu, “A new chaos-based encryption method for color image,” in Proceedings of The International Conference on Rough Sets and

m) Lake plainimage n) Lake cipherimage: E1 o) Lake cipherimage: E2 p) Difference-image of n) and o) Knowledge Technology (RSKT 2006), pp. 671–678, Chongqing, China, July 2006. [8] T. Hoang and H. Thanh, “Cryptanalysis and security improvement for a symmetric color image encryption algorithm,” Optik, vol. 155, pp. 366–383, 2018. [9] A. Jolfaei and X. Wu, “On the security of permuta- q) TestPat plainimage r) TestPat cipherimage: E s) TestPat cipherimage: E 1 2 t) Difference-image of r) and s) tiononly image encryption schemes,” IEEE Transac- tions on Information Forensics and Security, vol. 11, Figure 10: Plainimage sensitivity of the suggested image no. 2, pp. 235–246, 2016. cipher [10] H. Kwok and K. Tang, “A fast image encryption sys- tem based on chaotic maps with nite precision rep- resentation,” Chaos, Solitons Fractals, vol. 32, no. 4, Extensive simulations and security analyses have been im- pp. 1518–1529, 2007. plemented on the suggested cryptosystem including sta- [11] C. Li, “On the security of a chaos-based encryption tistical analysis, key space analysis, secret key and plain- method for color image,” in Proceedings of The Third image sensitivity analyses. Accordingly, the obtained re- International IEEE Scientific Conference on Physics sults demonstrate that the presented image cipher can and Control (PhysCon 2007), Potsdam, Germany, perfectly hide the plainimage information and further be September 2007. suitable for secure image storage and communications. [12] C. Li, S. Li, M. Asim, J. Nunez, G. Alvarez, and G. Chen, “On the security defects of an image en- cryption scheme,” Image and Vision Computing, Acknowledgments vol. 29, no. 9, pp. 1371–1381, 2009. [13] C. Li, S. Li, G. Chen, and W. A. Halang, “Cryptanal- ysis of an image encryption scheme based on a com- The author gratefully acknowledge the anonymous re- pound chaotic sequence,” Image and Vision Comput- viewers for their valuable comments. ing, vol. 27, no. 8, pp. 1035–1039, 2009. [14] M. Li, Y. Guo, J. Huang, and Y. Li, “Cryptanaly- sis of a chaotic image encryption scheme based on References permutation-diffusion structure,” Signal Processing: Image Communication, vol. 62, pp. 164–172, 2018. [1] A. A. Abdo, S. Lian, I. A. Ismail, M. Amin, and [15] S. Li, C. Li, G. Chen, N. G. Bourbakis, and K. Lo, “A H. Diab, “A cryptosystem based on elementary general quantitative cryptanalysis of permutation- cellular automata,” Communications in Nonlinear only multimedia ciphers against plaintext attacks,” Science and Numerical Simulation, vol. 18, no. 1, Image Communication, vol. 23, no. 3, pp. 212–223, pp. 136–147, 2013. 2008. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 60

[16] Y. Li, C. Wang, and H. Chen, “A hyper-chaos-based Numerical Simulation, vol. 18, no. 11, pp. 3075–3085, image encryption algorithm using pixel-level permu- 2013. tation and bit-level permutation,” Optics and Lasers [32] X.-Y. Wang, L. Teng, and X. Qin, “A novel colour in Engineering, vol. 90, pp. 238–246, 2017. image encryption algorithm based on chaos,” Signal [17] S. Lian, Multimedia content encryption: techniques Processing, vol. 92, no. 4, pp. 1101–1108, 2012. and applications (1ed). USA: CRC Press/Taylor and [33] X. Y. Wang, X. J Wang, J. Zhao, and Z. Zhang, Francis, 2008. “Chaotic encryption algorithm based on alternant of [18] S. G. Lian, J. Sun, and Z. Wang, “A block cipher stream cipher and block cipher,” Nonlinear Dynam- based on a suitable use of the chaotic standard map,” ics, vol. 63, no. 4, pp. 587–597, 2011. Chaos, Solitons Fractals, vol. 26, no. 1, pp. 117–129, [34] X.-Y. Wang, Y.-Q. Zhang, and X.-M. Bao, “A 2005. novel chaotic image encryption scheme using dna se- [19] H. J. Liu and X. Y. Wang, “Color image encryp- quence operations,” Optics and Lasers in Engineer- tion using spatial bit-level permutation and high- ing, vol. 73, pp. 53–61, 2015. dimension chaotic system,” Optics Communications, [35] Z. Wang and A. Bovik, Modern image quality assess- vol. 284, no. 16, pp. 3895–3903, 2011. ment: Synthesis lectures on image, Video and Multi- [20] J. Liu, D. Yang, H. Zhou, and S. Chen, “A digital im- media Processing (1ed). USA: Morgan and Claypool, age encryption algorithm based on bit-planes and an 2006. improved logistic map,” Multimedia Tools and Ap- [36] J. Wu, X. Liao, and B. Yang, “Cryptanalysis and plications, vol. 77, no. 8, pp. 10217–10233, 2018. enhancements of image encryption based on three- [21] A. Mitra, Y. V. Rao, and S. R. Prasnna, “A new im- dimensional bit matrix permutation,” Signal Pro- age encryption approach using combinational permu- cessing, vol. 142, pp. 292–300, 2018. tation techniques,” International Journal of Electri- [37] T. Xiang, K. W. Wong, and X. F. Liao, “Selective cal and Computer Engineering, vol. 1, no. 2, pp. 127– image encryption using a spatiotemporal chaotic sys- 131, 2006. tem,” Chaos, vol. 17, 023115, 2007. [22] R. A. Mollin, An introduction to cryptography (2ed). [38] W. Xiangjun, K. Haibin, and K. Jrgen, “A new color USA: CRC Press, 2006. image encryption scheme based on dna sequences and [23] B. Norouzi and S. Mirzakuchaki, “Breaking an image multiple improved 1d chaotic maps,” Applied Soft encryption algorithm based on the new substitution Computing, vol. 37, pp. 24–39, 2015. stage with chaotic functions,” Optik, vol. 127, no. 14, [39] D. Xiao, X. F. Liao, and P. C. Wei, “Analysis and pp. 5695–5701, 2016. improvement of a chaos-based image encryption al- [24] C. Pak and L. Huang, “A new color image encryption gorithm,” Chaos, Solitons Fractals, vol. 40, no. 5, using combination of the 1d chaotic map,” Signal pp. 2191–2199, 2009. Processing, vol. 138, pp. 129–137, 2017. [25] N. K. Pareek, V. Patidar, and K. K. Sud, “Image [40] L. Xu, Z. Li, J. Li, and W. Hua, “A novel bit-level encryption using chaotic logistic map,” Image and image encryption algorithm based on chaotic maps,” Vision Computing, vol. 24, no. 9, pp. 926–934, 2006. Optics and Lasers in Engineering, vol. 78, pp. 17–25, [26] Z. Parvin, H. Seyedarabi, and M. Shamsi, “A new se- 2016. cure and sensitive image encryption scheme based on [41] G. Ye, “Image scrambling encryption algorithm of new substitution with chaotic function,” Multimedia pixel bit based on chaos map,” Pattern Recognition Tools and Applications, vol. 75, no. 15, pp. 10631– Letters, vol. 31, no. 5, pp. 347–354, 2010. 10648, 2016. [42] J. C. Yen and J. I. Guo, “Design of a new signal [27] I. S. Sam, P. Devaraj, and R. S. Bhuvaneswaran, security system,” in Proceedings of The IEEE In- “An intertwining chaotic maps based image encryp- ternational Symposium on Circuits and Systems (IS- tion scheme,” Nonlinear Dynamics, vol. 69, no. 4, CAS 2002), pp. 121–124, Scottsdale, Ariz, USA, May pp. 1995–2007, 2012. 2002. [28] L. Teng and X. Y. Wang, “A bit-level image en- [43] W. Zhang, K. Wong, H. Yu, and Z. Zhu, “An image cryption algorithm based on spatiotemporal chaotic encryption scheme using lightweight bit-level con- system and self-adaptive,” Optics Communications, fusion and cascade cross circular diffusion,” Optics vol. 285, no. 20, pp. 4048–4054, 2012. Communications, vol. 285, no. 9, pp. 2343–2354, [29] X. Tong and M. Cui, “Image encryption with com- 2012. pound chaotic sequence cipher shifting dynamically,” [44] W. Zhang, K. Wong, H. Yu, and Z. Zhu, “A sym- Image and Vision Computing, vol. 26, no. 6, pp. 843– metric color image encryption algorithm using the 850, 2008. intrinsic features of bit distributions,” Communica- [30] G. Tu, X. Liao, and T. Xiang, “Cryptanalysis of a tions in Nonlinear Science and Numerical Simula- color image encryption algorithm based on chaos,” tion, vol. 18, no. 3, pp. 584–600, 2013. Optik, vol. 124, no. 22, pp. 5411–5415, 2013. [45] W. Zhang, H. Yu, Y. Zhao, and Z. Zhu, “Image en- [31] X.-Y. Wang and D. Luan, “A novel image encryp- cryption based on three dimensional bit matrix per- tion algorithm using chaos and reversible cellular au- mutation,” Signal Processing, vol. 118, pp. 36–50, tomata,” Communications in Nonlinear Science and 2016. International Journal of Network Security, Vol.21, No.1, PP.47-61, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).07) 61

[46] Y.-Q. Zhang and X.-Y. Wang, “A new image encryp- Biography tion algorithm based on non-adjacent coupled map lattices,” Applied Soft Computing, vol. 26, pp. 10– Hossam Diab received his B.S. degree, the M.Sc. de- 20, 2015. gree and Ph.D. degree in Computer Science from Faculty [47] X. Y. Zhao, G. Chen, D. Zhang, X. H. Wang, and of Science, Menoufia University, Egypt in 1999, 2004 and G. C. Dong, “Decryption of pure-position permu- 2010, respectively. He is an assistant Professor at the tation algorithms,” Journal of Zhejiang University- Department of Mathematics and Computer Science, Fac- SCIENCE A, vol. 5, no. 7, pp. 803–809, 2004. ulty of Science, Menoufia University, Egypt. However, [48] Y. Zhou, W. Cao, and C. L. P. Chen, “Image en- he is currently working as a visitor for Computer Science cryption using binary bitplane,” Signal Processing, and Engineering College, Taibah University, Saudi Ara- vol. 100, pp. 197–207, 2014. bia. His research interests are in the areas of cryptogra- [49] Z. L. Zhu, W. Zhang, K. W Wong, and H. Yu, “A phy, application of chaotic systems in multimedia content chaos-based symmetric image encryption scheme us- encryption, digital image processing, image compression, ing a bit-level permutation,” Information Sciences, image watermarking. vol. 181, no. 6, pp. 1171–1186, 2011. International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 62

Privacy-Preserving and Dynamic Authentication Scheme for Smart Metering

Xiuxia Tian1,2, Fuliang Tian1, Anqin Zhang1, and Xi Chen1 (Corresponding author: Xiuxia Tian)

College of Computer Science and Technology, Shanghai University of Electric Power1 No. 2588 Changyang Road, Shanghai 200090, China College of Data Science and Engineering, East China Normal University2 No. 3663 Zhongshan Road, Shanghai 200062, China (Email: [email protected].) (Received Aug. 28, 2017; revised and accepted Dec. 5, 2017)

Abstract has its problems, especially in the sender authentication and user privacy protection [6, 14–16]. According to the Smart grid has emerged as the next generation of power report [30], the existing authentication mechanism exist grid, as a result, the smart meter technology has devel- the problem of key exposure and insufficient authentica- oped rapidly. However, smart meter faces some critical tion, the existence of these problems poses a threat to security challenges such as insufficient authentication and the security of communications in the smart grid. In the user privacy disclosure. To cope with these challenging process of communication, the information transmitted issues, a privacy-preserving and dynamic authentication by smart meter includes many privacy data, such as the scheme based on Chinese residual theorem is proposed. user’s identity and real-time power. When the attacker In the proposed scheme, the smart grid is combined with obtains these data, especially when the user’s identity and cloud computing, which solves the problem of key leakage real-time power can be associated, the attacker can com- and reduces the burden of data processing in smart grid. bine the background knowledge to obtain the user’s be- Specifically, the proposed scheme not only implements the havior habit, and makes specific attacks on users. What’s smart meter authentication, but also makes it impossible more, as the number of SMs increases, calculating keys for both internal and external attackers to associate the for each SM is a complex business, as will as the key real identity of users with their real-time power. In addi- management and the authentication conditions dynamic tion, our scheme supports the dynamic update of smart update. At the same time, when a large number of users meter authentication conditions. Compared with the ex- have power requirements, the communication overhead of isting schemes, the proposed scheme has higher security SMs is also a great challenge. and lower communication overhead. Fortunately, recent researches [4, 26] shows that cloud Keywords: Chinese Remainder Theorem; Identity Au- computing has a great advantage in terms of flexibility, thentication; Privacy Protection; Smart Meter scalability, and cost investment, and is highly compatible with SG. so we have integrated the SG with cloud com- puting in the proposed scheme, and migrate master key 1 Introduction computing and system data management to cloud com- puting. In this way, the ability of data calculation and With the development of science and technology, smart key management for SG is improved, and the problem of grid (SG) [11] has attracted more and more attention. key leakage has been solved. In order to solve the prob- The structure of the SG can be divided into three lay- lem of SM authentication and user privacy-preserving, we ers [13]: Power Company (PC), Regional Manager (RM) propose a new authentication scheme based on Chinese and Smart Meter (SM). The SM is a power-collecting de- Remainder Theorem (CRT), it is different from the past. vice with user identity information, which can send the The contributions of the paper are in the following: real-time power of the user to the RM and PC. The PC 1) The real identity of the user is stored in the cloud completes power generation planning and remote control computing in an encrypted form, both internal and operations by analyzing the user’s electricity information, external attackers cannot associate the real identity and achieve the rational use of resources. of users with their real-time power; SM has been adopted by more and more countries and regions, but the development of this technology is also 2) The authentication conditions of SMs are calculated International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 63

based on the CRT, SMs in the same region have the computes the HMAC of the encrypted request informa- same authentication conditions, but the authentica- tion to realizes the authentication and privacy protection, tion process is independent of each other. So we but PC can link the identity information of SM with its don’t have to calculate the authentication conditions real-time power, so they can’t defend against internal at- for each SM individually, the number of SMs can be tacks. In addition, we can also use the zero-proof identity dynamic changes, and the authentication conditions privacy protection schemes [21] to protect user privacy. can be dynamically updated; Li et al. [19] and Liu et al. [18] have proposed two effi- cient schemes for the secure communications of SMs and 3) We have combined SG with cloud computing to en- neighborhood gateways. Li et al. [19] proposed an authen- hance the ability of SG data processing, and solved tication and privacy protection scheme based on Merkle the problem of key leakage. hash tree [24], the real-time electricity consumption re- The rest of the paper is organized as follows: Related port is divided into several parts, the values of the leaf work is reviewed in Section 2. The system model is in- nodes of Merkle tree are the message hashes, the values of cluded in Section 3. The Section 4 explains the proposed internal nodes are derived from their child nodes, finally, scheme, which includes system initialization, smart me- the root node value can be obtained. The integrity of ter authentication and update operation of authentication the node information is verified by recording the values of condition. In the Section 5, the scheme is verified, and the the associated nodes, so the Merkle hash tree technique is security and performance are analyzed. Finally, Section 6 leveraged to facilitate the authentication implementation. concludes the paper. Liu et al. [18] have proposed a similar lightweight com- munication scheme that unlike Li et al.’s scheme uses the Lagrange polynomial formula for the message sender au- 2 Related Work thentication, and shows better performance comparing to Li et al.’s scheme. But these schemes have not addressed The security of information between SMs and servers is some security requirements, so Abbasinezhad et al. [25] a very important issue in the SG [10, 23, 29, 31], facing propose an extremely lightweight communication scheme many types of attacks, such as false data injection at- that can be applied effectively for the secure bidirectional tacks [9], data integrity attacks [12], man-in-the-middle communications of the SMs and the neighborhood gate- attacks [32], DoS attacks [20] and so on. Therefore, the ways. researchers put forward a lot of proposals for SM authen- Furthermore, key leakage and data processing in smart tication and user privacy protection. grid are also concerned by researchers. Baek et al. [3] de- Jeanno et al. [7] used blind signature [5] to generate signed a large information data management framework, identity vouchers, in this way, the signer does not know the literature [1] presents a realistic example of deploy- the specific content of the signature information, and then ing a cloud computing center in an SG system. Saxena associates the voucher with the request information to et al. [27] propose a lightweight cloud-trusted authorities- complete the authentication of the SM. However, it needs based integrated distributed authentication protocol that to budget the electricity in advance and generate a large provides mutual authentications among communicated amount of vouchers, which cannot request the quantity of entities in a distributed manner, and combined with cloud electricity in real time according to the load demand. Yu computing to achieve the key management. These are the et al. [33] used ring signatures to implement SM authen- new directions for SG development. tication and user privacy protection, avoiding the genera- tion of large numbers of credentials, but with greater com- putational complexity and communication overhead. The 3 System Model certificate verification scheme proposed by Lee et al. [17] is authenticated by using a trusted third party to issue a The system designed in this paper can be divided into certificate to the SM, but cannot be achieved between the two parts, the cloud computing part and the smart grid SM and PC certification. part, as shown in Figure 1. Cloud computing includes Recently, Marmol et al. [22] proposed a Homomorphic central cloud computing (CC) and regional cloud comput- encryption based solution to protect the privacy of SM, ing (RC), the smart grid section includes Power Company smart meters individually encrypt their requests with an (PC), Regional Manager (RM), and Smart Meter (SM). encryption function that allows the energy supplier to de- CC and RC complete data calculation and preservation crypt their aggregation result with an aggregated key, no during the initialization phase of the system, and can in- one can decrypt them individually, but it is easily broken teract with the SG to complete the update operation and by man-in-the-middle attacks. To address the weaknesses SM authentication. The SM records the user’s power in- resulting from such attacks, Badra et al. [2] propose an formation and sends the real-time power information to improved privacy solution which extends the scheme of the RM. The RM is used for SM authentication and trans- Marmol et al.. Chim et al. [8] proposed an authentica- mits the electricity consumption report of the area to the tion scheme by applying the Keyed-Hashing for Message PC in encrypted form. The PC responds to the user’s Authentication Code (HMAC). In this scheme, the SM electricity demand and completes the billing function. International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 64

central cloud && 5&  computing Crǃ MPU ǃ MPR ǃ PU PC

PUPCǃ PU RM PUPCǃ PU RM  PU RM Crǃ MPU ǃ MPR Crǃ MPU ǃ MPR Power Company  ǃ   Cǃ MPU ǃ MPR  PU MPU MPR PU PC r RM

3& 50 regional cloud regional cloud computing computing PURM f MPUǃ C r PUPC f MPUǃ r PR fMPRǃ C PRPC fMPR ǃ r RM r

PRPC PRRMǃ C r Regional Manager Regional Manager

Figure 2: Keys generation and distribution

Smart Meter Smart Meter Smart Meter Smart Meter 4.1 System Initialization Figure 1: System model System initialization includes the generation and distri- bution of keys and the identity registration of SM. In or- der to reduce the overhead of SG, system initialization is 4 Proposed Scheme completed in cloud computing.

This section will introduce the principle and concrete steps of the scheme from three aspects: system initial- 4.1.1 Keys Generation and Distribution ization, SM authentication and the update operation of Since the calculation and generation of the key has a high authentication condition. cost, in our scheme, the CC calculates the main public The notations in Table 1 are used throughout this pa- key and the main private key, PC and RM calculate their per. own keys according to the main public key and the main private key. In this way, the computational cost of the Table 1: Notations and definitions SG is reduced, and the private key of each part of the SG is only known by itself, avoiding the risk of key leakage, Notation Definition specific steps as shown in Figure 2. CRT Chinese Remainder Theorem PC Power Company Step 1. The CC generates a pair of key MPU and MPR CC Central cloud computing , where MPU is the main public key, MPR is RC Regional cloud computing the main private key, and then CC sends MPU RM Regional Manager and MPR to the PC; SM Smart Meter SG Smart grid Step 2. The PC uses a random number γ and MPU Main public key (MP U, MP R) to generate its own public key MPR Main private key PUPC = f(MP U, γ) and private key PRPC = PU Public key f(MP R, γ), and upload the public key PUPC to PR Private key the CC, and save the private key PRPC ; γ A random number Step 3. CC selects different secret value C for each RC, Cr Secret value r f() Key calculation formula and send {Cr,MPU,MPR,PUPC } to the RC; H() Hash function (MD5) for computing h E () Encrypting message using PU Step 4. The RC sends {PUPC ,Cr, MP U, MP R} to the PU RM; DPR() Decrypting message using PR h Hash value Step 5. The RM uses the secret value C and ID Real identity information of SM r (MP U, MP R) to compute the public key MSG Ciphertext information PU = f(MP U, C ) and the private key T time stamp RM r PRRM = f(MPR,Cr), and uploads the public PW SM power information key PURM to the RC, and save the private key X Solution of CRT PRRM . ni A prime number International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 65

4.1.2 SM Registration DSSOLFDWLRQ IRU 5& UHJLVWUDWLRQ 60 The SM should register authentication information in the E ID ǃ n PUǃ X ǃ n RC before they are used. In order to protect the real iden- PUPC i RM i PUǃ PU ǃ Xn ǃ tity information of the users, we propose a new scheme PC RM i XCn n ­ { r  1 mod 1 for SM identity authentication based on the CRT, and use ° XCn{  mod n ° r 2 2 E ID the secret value Cr as the SM authentication condition, ® E ID ǃ n PU PC ° # PUPC i the user’s real identity is encrypted with the PC’s public ° XCn n ¯ { r  i mod i key, and saved in the RC. The basic principle of CRT [28] is: If integers m1, m2, . . . , mn are pairwise relatively prime, then for any Figure 3: The registration of SM integer a1, a2, . . . , an, the following system of simultane- ous congruence has a unique solution x.  selects a group of coprime integers n1 = 3, n2 = 5, n3 = 7, x ≡ a1(modm1)  and produce Equation (3) according to Equation (2). x ≡ a2(modm2) (1)  . X ≡ 2(mod3)  .   X ≡ 4(mod5) (3) x ≡ a (modm ) n n X ≡ 6(mod7) The general solution can be constructed as follows. Let RC1 calculates X according to solving process. M = M = Qn m be the product of integers m , m , . . . , m , i=1 i 1 2 n n1 · n2 · n3 = 105, and Mi = M/ni. ti is a solution of an and set M = M/m , M t ≡ 1(modm ),i ∈ 1, 2, ..., n, i i i i i equation Miti ≡ 1(modni), so the value of M1 and t1 is the general solution of the equations is x = kM + calculated as follows: Pn i=1 aitiMi, in the sense of M, there is only one solu- Pn tion to the equations: x = ( i=1 aitiMi)modM. M1 = M/n1 = 105/3 = 35 As shown in Figure 3, the SM identity registration pro- M1t1 = 1(modn1) cess is as follows: 35 · t1 = 1(mod3)

Step 1. The RC selects a group of coprime integers t1 = 2 n1, n2, . . . , ni, the number of coprime integers should be sufficient for the users to use. Then, In the same way, M2 = 21, t2 = 1, M3 = 15, t3 = 1. Then, the solution X for the given CRT equation is RC uses the secret value Cr issued by the CC to obtain the only solution X according to Equa- calculated by Equation (4). tion (2); n X X = ( a t M )modM (4)  i i i X ≡ (Cr + n1)(modn1) i=1  X ≡ (Cr + n2)(modn2) (2) So X = (2 · 2 · 35 + 4 · 1 · 21 + 6 · 1 · 15)mod105 = 104. .  . Assume that RC1 has passed the registration requests  X ≡ (Cr + ni)(modni) for SMs, RC1 sends {X = 104, n1 = 3} to SM1 as the in- formation of authentication, and the real identity of SM1 is saved in RC1 as (EPU (ID), ni = 3). In the same Step 2. The RC sends {PUPC ,PURM , X, ni} to the SM PC after passing the user’s application information, way, RC1 sends {X = 104, n2 = 5} to SM2, and sends in this step, the communication channel is pri- {X = 104, n3 = 7} to SM3. vate; 4.2 SM Authentication Step 3. SM encrypts the real identity information ID with the PC’s public key, then return With one SM as an example, we explain the identity au- thentication and charging process of SM, as shown in Fig- {EPUPC (ID), ni} to the RC and save (X, ni) for identity authentication; ure 4. During this process, MD5 and Elliptic Curves Cryptography (ECC) are used as cryptographic hash Step 4. The encrypted SM identity information function and encryption/decryption algorithm. Com- pared with other public key cryptosystems based on RSA, (EPUPC (ID), ni) saved in RC. Where the ECC achieves the same level of security strength with relationship between EPUPC (ID) and ni is corresponding. smaller key size and less computational cost. Therefore, ECC is more suitable for devices with limited computing For example, one of the secret values chosen by CC is resources such as smart meters. Cr = −1, CC sends the secret value to RC1. RC1 expects Firstly, the SM encrypts the authentication infor- that there will be three SMs can be used, so the RC1 mation (X, ni) and the electricity consumption report International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 66

&&

D MSG PUPC () PC

MSG Eé E ID, C , n ù PC PUPCë PU PC () r i û

3& 50 60

h' ? h ' = h? = h MSG= E() X, n , PW , T MSG, h D( MSG ) MSG, h SM PURM i {}RM PRRM SM {}SM

DPR( MSG RM ) C X nn PC r?=() mod i - i h= H() MSG MSG= E()& , n , PW , T SM MSG= E& , n RM PUPC r i PC PRPC () r i h H MSG = ()RM

Figure 4: Authentication of SM

PW with the public key of RM to get the cipher- by using the following equation: text MSG = E (X, n , P W, T ), SM adds the SM PURM i C0 = (Xmodn ) − n timestamp T of the current system when encrypting r 1 1 0 the message to prevent replay attacks. In order to Cr = (104mod3) − 3 0 ensure the integrity of the information, SM computes Cr = 2 − 3 h = H(MSG ), which is the hash value of the ci- 0 SM Cr = −1 phertext MSG . Finally, the SM sends the message SM 0 The value of C from the SM1 is the same as the Cr {MSGSM , h} to the RM. r from RC1, it indicates that the SM1 is legally valid. 0 On receiving {MSGSM , h}, the RM computes h = RM adds (Cr = −1, n1 = 3) to the information and 0 H(MSGSM ) and checks if h = h. If it is verified, sends it to PC. after a billing cycle, PC sends MSGPC = the RM uses its private key to decrypt the ciphertext EPRPC (Cr = −1, n1 = 3) to the CC. The CC uses the DPRRM (MSGSM ) = (X, ni, P W, T ), and checks whether public key of the PC to decrypt the ciphertext MSGPC , timestamp T is valid. If it is verified, RM computes the and according to the secret value Cr = −1 to find out secret value C0 = (Xmodn ) − n . The RM checks if r i i the RC1, and then find out the EPUPC (ID) of the SM1 C0 = C , here C is the secret value of the RC allocation. r r r according to n1 = 3, CC returns {EPUPC (ID),Cr = If identical, indicating that the identity of SM is legal. −1, n1 = 3} to PC. After decrypting the information, the Then, the RM uses the public key of the PC to encrypt the PC obtains the real identity ID of SM1 and completes the relevant information of the SM and adds the timestamp T , billing function. obtain the ciphertext MSGRM = EPUPC (Cr, ni, P W, T ). Then, the RM computes h = H(MSGRM ) and sends the 4.3 Dynamic Update of Authentication message {MSG , h} to the PC. RM Conditions 0 On receiving {MSGRM , h}, the PC computes h = 0 The security of key and authentication conditions is de- H(MSGRM ) and checks if h = h. If it is verified, the PC uses its private key to decrypt the ciphertext creasing with time, so the key of each entity in SG and the authentication condition of SM need to be updated dy- DPRPC (MSGRM ) = (Cr, ni, P W, T ) and checks whether timestamp T is valid. If it is verified, the information is namically. In our scheme, all SMs belonging to the same accepted. After a billing cycle, the PC computes the to- RM have the same authentication conditions X and Cr, therefore, it is not necessary to calculate the authentica- tal charge of the user with the mark (Cr, ni) and sends tion conditions for each SM individually. The authenti- MSGPC = EPR (Cr, ni) to the CC. The CC uses the PC cation conditions can be updated uniformly, and it has public key of the PC to decrypt the ciphertext MSGPC , an absolute advantage in the actual implementation and and according to the secret value Cr to find out the cor- operation. responding RC, and then find out the real identity of the 0 When updating, CC selects new secret values Cr for SM according to ni, CC returns {EPUPC (ID),Cr, ni} to 0 PC. After decrypting the information, the PC obtains the each RC, the RC gets the new X according to the Equa- user’s real identity and completes the billing function. tion (5). X0 ≡ (C0 + n )(modn ) Take SM as an example, SM adds (X = 104, n = 3)  r 1 1 1 1 1 X0 ≡ (C0 + n )(modn ) to the information and sends to RM. In order to complete  r 2 2 . (5) the authentication of SM , when RM receives the infor- . 1  .  0 0 mation from SM1, RM calculates the secret value of SM1 X ≡ (Cr + ni)(modni) International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 67

0 0 The RC sends Cr to the RM, and sends X to all SMs, it can resist the attack, ”no” means that it cannot resist the SM uses X0 to replace the previous X, that the dy- the type of attack. namic update of authentication conditions has been com- pleted. 5.2 Communication Overhead Continue with the example above, CC selects new se- 0 0 cret value Cr = −2 for RC1, the RC1 gets the new X The proposed scheme mainly considers the communica- according to the Equation (6). tion overhead between SMs and RM. Because a RM cor- responds to a lot of SMs, when multiple SMs commu- X0 ≡ 1(mod3)  0 nicate with the RM at the same time, the communica- X ≡ 3(mod5) (6) tion overhead of the channel is an area that needs to be  0 X ≡ 5(mod7) paid attention to. We choose to compare with the exist- According to the solving process, X0 = (1 · 2 · 35 + 3 · 1 · ing schemes to illustrate that the proposed scheme has 0 more advantages in communication overhead when mul- 21 + 5 · 1 · 15)mod105 = 103. RC1 sends Cr = −2 to the 0 0 tiple SMs communicate with the RM at the same time. RM, and sends X = 103 to all SMs. The SM1 uses X = 103 to replace the previous X = 104, and sends {X = In the Li et al.’s scheme [19], the communication traffic between the RM and the SM includes {U ,C ,S , AP I }, 103, n1 = 3} to RM, RM calculates secret value of SM1 by i j j j 00 we know that the messages (Ui,Cj,Sj) are 128 · 3 = 384 using Cr = (Xmodn1)−n1 = −2, and it is the same as the 0 bits, and the AP Ij is the authentication path information secret value Cr = −2 from RC1, so SM1 completed the authentication under the new authentication conditions. which includes seven 128-bit cryptographic hash values. So the total communication overhead of each SM in once communication is 128 · 3 + 128 · 7 = 1280 bits. 5 Security and Performance Anal- In the Liu et al.’s scheme [18], the SM sends ysis {IDi,Cj,Sj} and the coefficient of f(x) to the RM, the messages (IDi,Cj,Sj) are 128·3 = 384 bits, and the com- This section presents the security and performance anal- munication overhead of f(x) is 128-bit. therefore, in total ysis of our scheme in comparison with existing programs. the communication overhead of each SM in once commu- nication is 128 · 3 + 128 = 512 bits. The communication overhead of Abbasinezhad et al.’s 5.1 Security Analysis i i scheme [25] includes the messages {IDi,Vj ,Mj } which When the messages is transmitted in the SG, it may be are 128+256+256=640 bits, so the total communication possible for an attacker to save them for later use. How- overhead of each SM in once communication is 640 bits. ever, in the proposed scheme, the senders adds a times- In the proposed scheme, SM sends information tamp T when sending messages and computes the hash {MSGSM , h} to the RM, the encrypted information value of ciphertext h = H(MSG). When the recipient MSGSM is 256 bits, and h is 128 bits. So the communi- receives the message, he will check the hash value and cation overhead of each smart meter is 256+128=384 bits. the timestamp, only h0 = h and in the effective time that As shown in Figure 5, When the number of SMs commu- the message will be processed. Therefore, the proposed nicating with the RM at the same time is increasing, the authentication scheme can resist the replay attack. proposed scheme uses less resources for SM communica- In the proposed scheme, The user’s real identity ID tion overhead. is encrypted into EPUPC (ID) and stored in the RC, the SM uses (X, ni) for authentication. Only the PC has 5.3 Storage Cost completed the electricity statistics, can the user’s identity be queried by PC and decrypted with its private key. In In the Li et al.’s scheme [19], the SM needs to store the whole process of SM authentication, any participant (rj,Cj, AP Ij), where j=1,2,3,...,128, The storage space cannot associate the real identity of SM with its real time of rj is 128 · 128 bits, the storage space of Cj is 256 · 128 power, so it can prevent internal and external attackers bits, and the storage space of AP Ij, where each AP Ij to analyze the user’s behavior. contains seven hash values, is 128·7·128 bits, so the total Furthermore, in the proposed scheme, the CC pro- required storage space is 34 KB. duces the main public key MPU and the main private In the Liu et al.’s scheme [18], the SM needs to store key MPR, each member of the SG calculates its own (rj,Cj,Rj), where j=1,2,3,...,96. The needed storage public and private key based on (MP U, MP R). In this space for rj is 128 · 96 bits, the storage space of Cj is way, the private key is only known to itself, so it can avoid 128 · 96 bits, and the storage space of Rj is 128 · 96 bits, the problem of key exposure. In addition, the authenti- so the total required storage space is 4.5 KB. cation conditions can be dynamic update in the proposed In Abbasinezhad et al.’s scheme [25], the SM needs to SM scheme, it is harder for attackers to get the authentication store Ei , which takes 256 bits. conditions. In our scheme, the SM only needs to store (X, ni), Our scheme is compared with other schemes in security, which takes 64+64=128 bits. Table 3 demonstrates the the results are shown in Table 2. where ”yes” means that storage space comparison. International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 68

Table 2: Security comparison

Scheme Malicious Power Man in the The third Replay Data integrity user company middle party attack attack Chim et al. [8] yes no yes yes yes yes Lee et al. [17] no no yes no yes yes Li et al. [19] yes no yes yes yes no Liu et al. [18] yes no yes yes yes no Abbasinezhad et al. [25] yes no yes yes yes yes Saxena et al. [27] yes no no yes no yes Proposed Scheme yes yes yes yes yes yes

5.4 Computational Cost we only consider the computation cost of a SM in each day, we divide 24 hours into small time intervals and set the length of the time interval to be 15 minutes, a SM 1600 collects the usage data with a pre-defined format during Proposed scheme every time interval. 1400 Li [18] In the Li et al.’s scheme [19], a SM needs to execute Liu [20] 1200 Abbasinezhad [1] 255 hash operations to construct the Merkle hash tree, 128 encryptions with two inputs for computing the Cj, 1000 128 random generations, and 1 encryption for the root node value. 800 In the Liu et al.’s scheme [18], each SM needs to exe- 600 cute 96 hash operations, one decryption, 96 encryptions for the f(x) coefficients, 96 random generations, and 1 Communication overhead (KB) 400 polynomial generation.

200 In Abbasinezhad et al.’s scheme [25], each SM needs to perform 200 one-input hash functions and 96 random 0 0 2000 4000 6000 8000 10000 generations. Number of SMs In our scheme, the calculation of authentication infor- mation of SMs is completed by cloud computing, and each Figure 5: Comparison of communication overhead SM only needs to execute 96 encryption operations and 96 hash operations.

6 Conclusion

In this paper, we have proposed a privacy-preserving and dynamic authentication scheme for smart meter, it solves the problem of smart meter authentication and user privacy-preserving, and avoids the leakage of key. What’s more, the authentication conditions of smart meter are dynamic update. Detailed security analysis shows that Table 3: Storage cost the proposed authentication scheme can resist the internal and external attack, and has a stronger security than the Scheme Storage cost existing scheme. Performance analysis demonstrates its Li et al. [19] 34 KB efficiency in terms of communication overhead and stor- Liu et al. [18] 4.5 KB age cost. Abbasinezhad et al. [25] 256 bits Proposed Scheme 128 bits Acknowledgments

This work was supported by NSFC Grants (No. 61772327No. 61202020No. 61532021), Project of Shang- hai Science and Technology Committee Grant (No. International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 69

15110500700) and CCF-Tencent Open Fund Grant (No. [14] Q. Jiang, J. Ma, G. Li and L. Yang, “Robust two- IAGR20150109, RAGR20150114). We would like to ex- factor authentication and key agreement preserving press our gratitude to the anonymous reviewers for their user privacy,” International Journal of Network Se- valuable feedback and comments which helped us to im- curity, vol. 16, no. 3, pp. 229–240, 2014. prove the quality and presentation of this paper. [15] W. S. Juang and J. L. Wu, “Efficient user authen- tication and key agreement with user privacy pro- tection,” International Journal of Network Security, References vol. 7, no. 1, pp. 120–129, 2008. [16] H. Khurana, M. Hadley, N. Lu and D. A. Frincke, [1] B. A. Akyol, Cyber Security Challenges in Using “Smart-grid security issues,” IEEE Security & Pri- Cloud Computing in the Electric Utility Industry, vacy, vol. 8, no. 1, 2010. 2012. [17] S. Lee, J. Bong, S. Shin and Y. Shin, “A security [2] M. Badra and S. Zeadally, “An improved privacy so- mechanism of smart grid ami network through smart lution for the smart grid,” International Journal of device mutual authentication,” in International Con- Network Security, vol. 18, no. 3, pp. 529–537, 2016. ference on Information Networking (ICOIN’14), [3] J. Baek, Q. H. Vu, J. K. Liu, X. Huang and Y. Xiang, pp. 592–595, 2014. “A secure cloud computing based framework for big [18] Y. Liu, C. Cheng, T. Gu, T. Jiang and X. Li, “A data information management of smart grid,” IEEE lightweight authenticated communication scheme for Transactions on Cloud Computing, vol. 3, no. 2, smart grid,” IEEE Sensors Journal, vol. 16, no. 3, pp. 233–244, 2015. pp. 836–842, 2016. [4] S. Bera, S. Misra and J. J. Rodrigues, “Cloud com- [19] H. Li, R. Lu, L. Zhou, B. Yang and X. Shen, “An puting applications for smart grid: A survey,” IEEE efficient merkle-tree-based authentication scheme for Transactions on Parallel and Distributed Systems, smart grid,” IEEE Systems Journal, vol. 8, no. 2, vol. 26, no. 5, pp. 1477–1494, 2015. pp. 655–663, 2014. [5] D. Chaum, “Blind signatures for untraceable pay- [20] S. Liu, X. P. Liu and A. E. Saddik, “Denial-of-service ments,” in Advances in Cryptology, pp. 199–203, (dos) attacks on load frequency control in smart 1983. grids,” in IEEE PES on Innovative Smart Grid Tech- [6] M. Y. Chen, C. C. Yang and M. S. Hwang, “Privacy nologies (ISGT’13), pp. 1–6, 2013. protection data access control,” International Jour- [21] A. M. Markham, P. Shenoy, K. Fu, E. Cecchet and nal of Network Security, vol. 15, no. 6, pp. 411–419, D. Irwin, “Private memoirs of a smart meter,” in 2013. Proceedings of the 2nd ACM Workshop on Embedded [7] J. C. Cheung, T. W. Chim, S. M. Yiu, V. O. Li Sensing Systems for Energy-Efficiency in Building, and L. C. Hui, “Credential-based privacy-preserving pp. 61–66, 2010. [22] F. G. Marmol, C. Sorge, O. Ugus and G. Mart´ınez power request scheme for smart grid network,” P´erez,“Do not snoop my habits: Preserving privacy in IEEE Global Telecommunications Conference in the smart grid,” IEEE Communications Magazine, (GLOBECOM’11), pp. 1–5. IEEE, 2011. vol. 50, no. 5, 2012. [8] T. W. Chim, S. M. Yiu, L. C. Hui and V. O. Li, [23] P. McDaniel and S. McLaughlin, “Security and pri- “Pass: Privacy-preserving authentication scheme for vacy challenges in the smart grid,” IEEE Security & smart grid network,” in IEEE International Confer- Privacy, vol. 7, no. 3, 2009. ence on Smart Grid Communications, pp. 196–201, [24] R. C. Merkle, “Protocols for public key cryptosys- 2011. tems,” in IEEE Symposium on Security and Privacy, [9] M. Esmalifalak, G. Shi, Z. Han and L. Song, “Bad pp. 122–122, 1980. data injection attack and defense in electricity mar- [25] D. A. Mood and M. Nikooghadam, “An ultra- ket using game theory study,” IEEE Transactions on lightweight and secure scheme for communications Smart Grid, vol. 4, no. 1, pp. 160–169, 2013. of smart meters and neighborhood gateways by uti- [10] S. Finster, “Smart meter speed dating, short-term lization of an arm cortex-m microcontroller,” IEEE relationships for improved privacy in smart meter- Transactions on Smart Grid, pp. 1, 2017. ing,” in IEEE International Conference on Smart [26] S. Rusitschka, K. Eger and C. Gerdes, “Smart grid Grid Communications, pp. 426–431, 2013. data cloud: A model for utilizing cloud computing [11] C. W. Gellings, The Smart Grid: Enabling Energy in the smart grid domain,” in First IEEE Interna- Efficiency and Demand Response, 2009. tional Conference on Smart Grid Communications, [12] A. Giani, E. Bitar, M. Garcia, M. McQueen, P. Khar- pp. 483–488, 2010. gonekar and K. Poolla, “Smart grid data integrity [27] N. Saxena and B. J. Choi, “Integrated distributed attacks,” IEEE Transactions on Smart Grid, vol. 4, authentication protocol for smart grid communica- no. 3, pp. 1244–1253, 2013. tions,” IEEE Systems Journal, no. 99, pp. 1-12, 2016. [13] J. N. Green and R. G. Wilson, Control and Au- [28] W. Stallings and M. P. Tahiliani, Cryptography and tomation of Electrical Power Distribution Systems, Network Security: Principles and Practice, vol. 6, vol. 28, 2006. Pearson London, 2014. International Journal of Network Security, Vol.21, No.1, PP.62-70, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).08) 70

[29] Y. Strengers, “Smart metering demand management Fuliang Tian Graduate. College of Computer Science programs: Challenging the comfort and cleanliness and Technology in Shanghai University of Electric habitus of households,” in Proceedings of the 20th Power. He research interests mainly focus on the Australasian Conference on Computer-Human Inter- security and privacy protection for the smart meter action: Designing for Habitus and Habitat, pp. 9–16, (Email:tianfl[email protected]). 2008. Anqin Zhang female, born in April 1974, teacher [30] W. Wang and Z. Lu, “Cyber security in the smart in College of Computer Science and Technology at grid: Survey and challenges,” Computer Networks, Shanghai University of Electric Power, Ph. D., associate vol. 57, no. 5, pp. 1344–1371, 2013. professor.She is a member of Chinese Computer Feder- [31] X. Wang and P. Yi, “Security framework for wireless ation.Her main research interest is: Data Mining and communications in smart distribution grid,” IEEE social computing. Transactions on Smart Grid, vol. 2, no. 4, pp. 809– 818, 2011. Xi Chen Graduate. College of Computer Science and [32] Y. Yang, K. McLaughlin, T. Littler, S. Sezer, E. G. Technology in Shanghai University of Electric Power. Im, Z. Yao, B. Pranggono and H.F. Wang, “Man- in-the-middle attack test-bed investigating cyber- security vulnerabilities in smart grid scada systems,” International Conference on Sustainable Power Gen- eration and Supply (SUPERGEN’12), 2012. [33] C. M. Yu, C. Y. Chen, S. Y. Kuo and H. C. Chao, “Privacy-preserving power request in smart grid net- works,” IEEE Systems Journal, vol. 8, no. 2, pp. 441– 449, 2014.

Biography

Xiuxia Tian received the MS degree in applied cryptography-based information security from Shanghai Jiaotong University in 2005, and the PhD degree in database security and privacy preserving in cloud com- puting from Fudan University in 2011. She is currently a professor in the College of Computer Science and Technology, Shanghai University of Electric Power. She is a visiting scholar of two years at UC Berkeley working with groups of SCRUB and SecML. She has published more than 40 papers and some papers are published in international conferences and journals such as DASFAA, ICWS, CLOUD, and SCN. Her main research interests include database security, privacy preserving (large data and cloud computing), applied cryptography, and secure machine learning. International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 71

Multi-party Fair Exchange Protocol with Smart Contract on Bitcoin

Lijuan Guo1, Xuelian Li1, and Juntao Gao2 (Corresponding author: Lijuan Guo)

School of Mathematics and Statistics, Xidian University1 No. 2 South Taibai Road, Xi’an, Shaanxi 710126, China (Email:[email protected]) State Key Laboratory of Integrated Services Networks, Xidian University2 Xi’an, Shaanxi 710071, China (Received Sept. 17, 2017; revised and accepted Dec. 8, 2017)

Abstract executing the protocol. For an honest participant, it is not fair if dishonest participants disappear or terminate Traditional multi-party exchange protocols need a the protocol after receiving their desired results instead of third party to ensure fairness. It can bring some commu- following the protocol to send messages to the expected nication costs and cryptanalytic attacks. In recent years, participants. In this case, it is impossible to force the researchers have focused on blockchain to design a fair ex- dishonest participants to send their private information, change protocol without a central authority. So far, there that is, the fairness is lost. Eslami et al. [11] propose are a few works on fair exchange protocols for any topol- a secure group key exchange protocol in the presence of ogy based on bitcoin. This paper puts forward a decen- dishonest participants. A third party is usually intro- tralized protocol for star topology based on the bitcoin, duced to deal with this dilemma. Pagnia et al. pointed that is, our protocol does not contain a third party. Com- out that it is out of the question to ensure strong fair- munication costs, information disclosure, and cryptana- ness of the protocol without the third party because the lytic attacks are not considered for the third party. These dishonest participants maybe vanish after receiving the features greatly reduce the burden and increase the effi- final part of honest participants’ messages without trans- ciency of the protocol. To guarantee the fairness, a com- mitting their own final part [22]. Of course, there are mitment scheme is provided. And the proposed protocol also some researches on other aspects. Lal and Das [21] constructs an ideal function as a smart contract. The propose a security analysis of protocols using action lan- bitcoin is automatically transferred in the limited time guage. Chang et al. [28] propose a privacy preserving instead of manual operations. Security analysis shows protocol in the multi-party model. On the other hand, that our construction can guarantee fairness, resist dou- researchers have been focusing on designing the proto- ble spending and sybil attack. Meanwhile, the proposed col which applies to various topology [10, 20]. There are protocol enjoys high efficiency. Moreover, with a slight four common topologies, namely, ring topology, sequen- modification, our protocol can be extended to apply to tial topology, star topology and mesh topology. Without any topology. exception, they all need the third party to guarantee fair- Keywords: Bitcoin; Compensation; Fair Exchange; Smart ness. Contract; Topological Construction But the third party increases communication costs and is vulnerable to the cryptanalytic attack. For example, the Sybil attack is possible if most participants are dis- 1 Introduction honest. In addition, this process will produce high trans- action costs for the micro payment. More importantly, Secure multi-party computation protocols originated the multi-party protocol also does not guarantee strong from the work of Yao [27] and have evolved and expanded fairness in the case of most participants being dishonest. by Goldreich et al. [14]. Following the protocol, a group As early as 1981, some researchers have tried to solve of participants can work together to achieve their goals the problems in the electronic coin field, such as privacy, by their private inputs. Note that the participants do security, fairness and inclusiveness and so on. But, due not trust each other, therefore, a basic requirement is to the existence of the third party, it is difficult to de- that any participant cannot obtain more messages about sign a protocol as a solution to these problems simulta- other participants’ inputs than they would learn when neously. Excitedly, a distributed digital currency of bit- International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 72 coin is proposed in 2008. Bitcoin has attracted a lot of designed an escrow protocol which has a mediator to deal attention because it has no an authority center to con- with disputes. This approach is similar to the protocol trol transactions. The underlying technology of bitcoin with an optimistic third party. Additional costs and at- is the blockchain technology. One of the features of the tacks may be added to the protocol. Zheng presents a bitcoin is the anonymity. Participants are identified by reputation system that deals with small amount of pay- the hash value of the public key. Therefore, it is difficult ment [29]. Strictly speaking, the above protocols only to link the transaction with the participant spending the apply to the mesh topology. money. Another major feature is that transactions are Time-lock is also introduced in the bitcoin transac- open and transparent so that anyone has access to it on tions. The functions change with different protocols. the blockchain. Fairness is usually guaranteed by pay- Back et al. [3] propose a lottery protocol that is fair ing some compensation to the honest participants when and secure. Time-lock is used to refund the deposit the dishonest participants fail to execute the protocol. if the protocol is terminated maliciously. Andrychow- Meanwhile, honest participants will not lose any bitcoins. icz et al. [1] advocate compensation for the honest par- Kılın¸c et al. put forward that we do not need to learn how ticipants beyond the limited time. Our ideal func- much value the output will be before assessment, and they tion FLedgercombines these two functions. The function think that the method for obtaining fairness with bitcoin FLedger first uses time-lock to make compensation for hon- is inappropriate [20]. However, The Kılın¸c et al.’s prob- est participants whenever dishonest participants appear lem can be settled as long as the compensation payment and last time-lock is used to refund the deposit and trans- is agreed by the participants. Meanwhile, convenient con- fer the consumption funds. ditions are provided for designing protocols that apply to The three largest bitcoin trading platforms in China, any topology. In some topologies, participants may need Huobi, Bitcoin China and OKcoin, provides bitcoin mar- to execute the protocol in the default order. The pro- ket, bitcoin price, litecoin market and other digital cur- posed protocol significantly improve efficiency compared rency trading. Users can store bitcoin safely on the plat- with the traditional multi-party protocols [10, 20] which form. There is an optimal balance between high security suitable for any topology. So far researchers put forward and the convenience of users. However, currently, bitcoin a lot of protocols but most protocols only apply to the has not been able to be used on a large scale in actual mesh topology. However, there are a few works based on transactions. On the one hand, the law is not established bitcoin to apply to any topology. about the trading platform of virtual currency in China In recent years, security is studied frequently on bit- yet. The so-called ”virtual currency” such as bitcoin has coin [4,12,17]. Maxwell proposes the zero knowledge con- increasingly become a tool for money laundering, drug tingent payment. It solves the problem of buying a set- traffic, smuggling and illegal fund-raising activities. On tlement to an NP-problem with bitcoin. Juels et al. [18] the other hand, the blockchain technology is still unde- buy private keys to the specified public keys with Turing- veloped in the security aspect. If users are increasing complete scripting language in the protocol. The platform sharply, the security of the system will be threatened. is relatively complex. Kiayias et al. [19] propose a formal Over these considerations, we propose a multi-party model with compensation to achieve security by using a fair exchange protocol with smart contract on bitcoin. shared global transaction ledger. Ruffing et al. [25] put Our fair exchange protocol is an online B2C based on forward a completely decentralized non-equivocation con- bitcoin. Our protocol is also inspired by the commitment tracts by the penalty mechanism. These works explore scheme [1] and function [2]. Blockchain is characterized how to design a general fair exchange protocol with a by its nature of decentralization, anonymous, information penalty. We prefer a specific application scenario, but sharing. Based on these features, the advantages of our the general theory is not completely applicable in differ- proposed protocol are manifold. ent scenarios. Researchers also have focused on complex 1) The proposed protocol strongly relies on blockchain financial transactions on blockchain. Bentov et al. [7] pro- which is no central controller. If there is a third party, pose a lottery protocol based on the definition of the ideal we must consider communication costs, information primitive. One drawback is that the winner is randomly leakage and cryptanalytic attacks for it. Our pro- selected among all participants. Andrychowicz et al. [1] tocol avoids these problems. Meanwhile, we do not design a winner function in which the winner is decided employ some general methods, such as zero knowl- by the input of all participants. The lottery protocol edge compilers and oblivious transfers, therefore, our which describes the input and output of the transaction protocol has a high efficiency. through scripting language is given based on the commit- ment scheme. Bartoletti et al. [5] also propose a lottery 2) We construct an ideal functionFLedger with a counter protocol but they make a contribution to the constant as a smart contract. Meanwhile, a commitment deposit. However, many tournaments need to be held to schemeFcs is proposed based on the scheme in [1]. get the winner if the number of participants is large.In Our protocol is a (FLedger,Fcs )–hybrid model. Some brief, researchers have paid more attention to lottery pro- protocols [1, 5, 13] have also taken advantage of the tocols [1, 5, 7]. At present, there are few works about ideal of deposit and time-lock, but none of them have e-commerce of using bitcoin [16,22]. Goldfeder et al. [13] given a detailed description of the smart contract. International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 73

Our protocol not only gives a specific process but also an address is a hash of public key. Each participant can improves security and efficiency, that is, not only can execute a bitcoin transaction, sending bitcoin from one fairness be achieved but it can be executed automat- address to another address. In order to illustrate the prin- ically within the specified time. ciple we give two transactions in Table 1.

3) The proposed protocol is a star topology. Some con- sumers quit will not affect other consumers. Finally, Table 1: Simple form of transaction the protocol can be extended to any topology. Until now, no other constant-round protocol can offer no Ta in: center,(FLedger,Fcs )–hybrid model and any topology with a slight modification simultaneously. And there in-script:sig(.) is no compromise on security, that is, protocol pro- out − script(depict, σ): vek(depict, σ) vides fairness and can resist forgery attack, double value : va spending and sybil attack. lock-time:t

The rest of this paper is given as follows. Section 2 introduces bitcoin transactions and some symbols. Sec- tion 3 shows a commitment scheme. Section 4 proposes T fair exchange protocol with compensation and presents an b in:T ideal functionF which can be shared by all partici- a Ledger in-script:sig(.) pants in an open and transparent manner. Section 5 gives out-script(...):... the security analysis. Section 6 describes how to extend value : v the protocol to any topology. Section 7 performs a pro- b tocol comparison. Section 8 provides a brief conclusion. lock-time:t

2 Preliminaries The in-script of the transaction Ta is a signature, and the out-script is a validation algorithm. The transaction Bitcoin system is a decentralized system that allows Ta transfers a value va. Moreover, there is a lock-time t participants to exchange virtual currency anonymously. that tells us when the transaction is over. Transactions All bitcoin transactions are recorded on the blockchain like Ta are called standard transaction. Anybody can (also called ledger). These data are open and transpar- spend an amount of va bitcoin as long as she/he can sat- ent and everyone has access to it. Recently researchers isfy the specific rules in Ta’s out-script. The transaction are devoted to expanding the application from the simple Tb contains a list which is the cryptographic hash of the transfer currency to complex financial transactions on the whole Ta,and in-script contains values to evaluate to true blockchain. The script language is relatively comprehen- on the out-script of Ta. Then the va bitcoin is transformed sive. But it is not Turing-complete, one of reasons is to from the transaction Ta to a new transaction Tb,and Ta avoid denial of service attacks. cannot be redeemed again. The transaction Tb can be re- Bitcoin structure contains many nodes called miners. deemed by meeting its out-script. Now parametersfx, wx The transactions are collected by miners who participate are given,where fx is a description function and output is in the calculation of proof of work to produce blocks. Min- a Boolean function,wx is the number of bitcoins that is ers attempt to produce a block, containing the previous are transformed from one address to another. We give a block’s hash value, by calculating the hash function value more specific description, that is, a transaction is in the satisfying the current transactions’ data. If one or more form Tb = (Ta, fb, wb, σb), where [Tb] = [Ta, fb, wb] is de- new blocks are formed on top of the longest chain simul- fined as depict. σb is considered to be a witness that is taneously, they appear parallel branches. If it happens, used to evaluate the correctness of fb on Tb. The wit- miners must choose a branch to continue mining process. ness can be simplified as a signature. Transaction Tb is This contradiction is resolved when one branch becomes valid when fb’s evaluation of the input Ta is correct.To longer than the other branches and miners continue min- describe simplicity,σ represents the witness and depict ing in the longer branch. Therefore, it is very difficult if stands for [Tx] of the current transaction in the subse- adversaries want to mine a new alternate branch. The quent scripting language. probability of success decreases exponentially with the There are other styles of bitcoin transaction. A trans- number of new blocks on top of the longest chain. Trans- action may have multiple inputs and outputs. It is given actions are confirmed if six blocks have been added to the in the Table 2. The transaction has multiple outputs but block (It is about 60 minutes). only one out-script and one value, and outputs can be A transaction is the basic component of the ledger. The independent redeemed. We ignore the fact that there are transaction may have one input and one output, multiple multiple out-scripts because it will not be used in our inputs and one output, one input and multiple outputs paper. Therefore, we should specify which output is re- or multiple inputs and multiple outputs. We assume that deemed. A suitable in-script must be provided for each of International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 74 them if a transaction is redeemed using multiple outputs 3 Models of the above transaction as inputs. In order to ensure success of the transaction, the sum of all outputs values We will consider some scenarios in which a merchant should be equal to or less than the sum of all inputs. has some information/goods and many consumers intend to buy it,or the first class agent wants to expand multiple second class agents simultaneously. The proposed proto- Table 2: General form of transaction col is applicable to the scenario that information is sent to multiple participants at the same time, and participants T do not know each other but they know how many peo- in[0]:T0 ple are involved in the protocol. Obviously, the efficiency .... of transmitting to multiple participants simultaneously is in[n]:T0 higher than the efficiency of transmitting to a user. For in-script:W0 convenience, we take the merchant and consumer as an .... example. A merchant is trade with multiple consumers in-script:Wn simultaneously. It is a star topology. The proposed pro- out-script(...):... tocol provides the following security properties. Sun et value:v al. [26] also proposed a multi-receiver protocol but it is lock-time:t based on chaotic maps with privacy protection. F airness. Once the protocol ends, either all partici- pants have the desired information, or none of them can receive it. There are three main characteristics.

2.1 Symbols 1) A malicious merchant cannot gain bitcoins from an honest consumer unless he creates a proper open In this section we describe some notations in the paper. transaction.

• M: Merchant; 2) A malicious consumer cannot gain desired informa-

• Pi: Customer, where i ∈ {1, 2, ··· , n}; tion from the merchant if he refuses to pay bitcoin.

• H(.): Collision resistant one-way hash function; 3) They not only cannot obtain the desired information but also lose the deposit if malicious participants con- • (pkj, skj): Public and private key of the j-th partic- ipant, where j ∈ {1, 2, ··· , n}; spire to try to cheat honest participants information or BTCs. 0 0 • (pkj, skj): Updated public and private key of the j-th participant, where j ∈ {1, 2, ··· , n}; Resistingdoublespendingattacks. The same transac- tion cannot be redeemed more than once. • sigj(.), vekj(.): The RSA signature on message with Resistingsybilattacks. It does not work even if an private key skj and verification of message with pub- adversary creates lots of fake identities. lic key pkj,where j ∈ {1, 2, ··· , n}; We assume that the merchant and consumer are con- 1 n • M , ··· ,M : They are unredeemed transactions nected through insecure channels. Accordingly, a trans- which only can be redeemed by the merchant; action may be intercepted or tampered with. Participants • Di,Ci: They are unredeemed transactions which (including the merchant and consumer) and the ledger are connected with secure channels. This problem of trans- only can be redeemed by the customer Pi, where i ∈ {1, 2, ··· , n}; action malleability [1] must be considered in designing protocol. In Section 4, we propose a protocol that is se- • s, si: The unique secret of merchant and the i-th cure even though an adversary gets all the transaction customer respectively where i ∈ {1, 2, ··· , n}; information before posting on the ledger.

• m, mi: Blinded secret of merchant and the i-th cus- tomer respectively where i ∈ {1, 2, ··· , n}; 3.1 Commitment Scheme Fcs • commiti, depositi, openi: Merchant creates transac- In [1], the commitment scheme solves the problem of tions for the i-th consumer where i ∈ {1, 2, ··· , n}; standard commitment schemes which are not able to force M M M • commiti , depositi , openi : Consumer Pi creates a committer to open his real secret if he/she terminates transactions for merchant M,where i ∈ {1, 2, ··· , n}; before open transaction. The protocol [1] requires each committer to pay some BTCs as deposit. The deposit • T : The maximum delay time in which transactions will be sent to other participants if the committer re- appear on the ledger; fuses to open the promise within the specified time. There • BTC: Bitcoin. are three phases: pre-condition phase, commitment phase International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 75

M and open phase. Each participant has the same commit- if P1 does not post transaction commit1 in ment, that is, the number of deposits is same. Our com- step4. Pi stops the deal if Pi has not received mitment scheme is inspired by the scheme in [1]. The depositi by the end of the time 2T . Consumer M proposed scheme has only two phase and commitments Pi creates the transaction depositi , signs it and M are different between merchants and consumers from that sends depositi to the M,respectively. M has M in [1]. Our commitment program has a distinctive fea- not received depositj by the end of the time ture, that is, a consumer has agreed to take part in the 2T . It marks that Pj stopped protocol, where protocol, but he may have not enough money or lose in- j ∈ {1, .., n}. terest in the deal in commitment phase. If it happens, he can quit the protocol. Other consumers will not be affected because their transactions are independent. 4 Fair Exchange Protocol with We now define the commitment scheme. First of all, Compensation the ledger has n unredeemed transactions M 1, ··· ,M n which only can be redeemed by the merchant and has one Loosely speaking, the proposed fair exchange protocol output-script. However, multiple output transactions are has the following features. required. In fact, one output-script can contain multiple output transactions in the real world in order to avoid a 1) Participants can take part in the protocol only if he complex description of the script. The ledger also has n has enough BTCs. i unredeemed transactions D which only can be redeemed 2) No honest participant needs to pay a penalty. Honest by the consumer Pi, i ∈ 1, .., n independently. And the participants will obtain the desired information or commitment phase has time limit. The specific descrip- be compensated as long as the protocol is executed tion of the commitment scheme is shown. correctly. Pre-condition: 3) If an adversary and/or dishonest participant re-

1) The merchant M has a key pair (pkM , skM ) place(s) the secret but honest participants reveal se- and the consumer has a key pair (pki, ski), i ∈ cret in the right way, then the honest participants {1, .., n}. are compensated accordingly. 2) The ledger has n unredeemed transactions 4) Transactions will not be affected between consumers M 1, ··· ,M n which only can be redeemed by the and merchants even if there are dishonest partici- merchant and the sum of value v = dn BTCs. pants. Meanwhile, a consumer’s quit does not affect The ledger also contains n unredeemed transac- other participants because consumers are indepen- tions D1, ··· ,Dn which only can be redeemed dent. by the consumer P1, ··· ,Pn and the value is d BTC, respectively. We construct a fair exchange protocol with compen- sation in a mixed model(FLedger,Fcs). The commitment Commitment phase: scheme Fcs makes sure that each participant has enough BTCs to make a promise. In other words, each participant 1) The merchant M computes h = H(m). Then must have a number of BTCs that are required to partic- he posts the transactions commit1, .., commitn ipate in the protocol. The ideal function (F (It will on the ledger. The transactions M 1, ··· ,M n Ledger be presented in Section 4.2.)ensures that we provide fair- are used as input. Consumer P computes h = i i ness. In the following, we assume that all the participants H . Then he posts the transaction commitM mi i are rational, that is to say, they do not want to lose their on the ledger and the transaction Di is used as own interests. Therefore, participants will not deliber- input, where i ∈ {1, .., n}. The hash value is a ately delay time to post transitions on the ledger. More- part of the commitment. over, consumers also need to earn others BTCs in order i 2) If some transactions commit from M are not to purchase information/goods from the merchant. These posted on the ledger at the end of time T , or BTCs come from unredeemed transactions Ci which only some of them are wrong. Then the protocol can be redeemed by the consumer P , i ∈ 1, ..n and the M i is cancelled. If a transaction(or more)commiti value is x BTCs, respectively. In the bitcoin system, key from Pi is not posted on the ledger at the end of pair is updated in each new transaction. In the commit- time T . For simplicity,we assume that there is a ment scheme Fcs, every consumer Pi has a blinded secret consumer P1 who does not post the transaction m , i ∈ 1, ..n and the merchant M has a blinded value M i commit1 . This indicates that P1 gives up the m. For the sake of simplicity, blinded secret is denoted deal. as z ∈ m, mi and the committer sends blinded secret to 3) The merchant M creates the transactions the corresponding receiver in the execution phase. Hon- deposit1, ··· , depositn,signs them and sends the est participants keep z secret until the transaction open i transaction deposit to Pi, where i ∈ {1, .., n}. in the execution phase. Each participant plays a role of The transaction deposit1 will not be created the committer. If the committer is honest, an adversary International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 76

would not able to get any valuable information about the mi. Then Pj reveals the same secret mi = mj. During M secret before opening the transaction. Every recipient can execution phase, consumers post transactions consumei ensure that commitment can only be opened in one way on the ledger. Ideal function FLedger is used if some trans- and the secret cannot change with the committer. If com- actions go wrong. Finally, all participants perform trans- mitter is trying to cheat or an adversary tampered with action open to reveal secret. ∗ the information, every recipient can terminate the proto- Suppose s, si ∈ {0, 1} . We define z = (r1||(s/si)||r2) k/2 col. If the committer refuses to execute open transaction, where r1 and r2 are randomly selected in {0, 1} . The his deposit is transferred to the appropriate recipient as receiver verifies whether H(z) is equal to h or not. If it compensation. Therefore, the rational participants will is right, then restore s/si by isolating left-hand k/2 and open their commitment in the specified time T in order right-hand k/2 bits from z. The receiver rejects the trans- not to lose their BTCs. The process of protocol is de- action open if H(z) 6= h. H is a collision resistance one scribed as follows. way hash function in order to prevent malicious commit- ters or adversaries from opening their promises in different Pre-condition phase: ways.

1) Every participant Pj has a key pair(pkj, skj), j ∈ {1, ··· , n, M}, respectively. 4.1 Ideal Function FLedger 2) The ledger contains unredeemed transactions Ci The function FLedger is a public ledger. It can be ac- which only can be redeemed by the consumer cessed by participants and even the others entities. Par- Pi, i ∈ {1, ··· , n} and the value is x BTC(s). ticipants generate valid transactions. Miners gather these 3) Each consumer Pi generates a new key pair transactions in a regular sequence which is treated as the 0 0 (pki, ski), i ∈ {1, ··· , n} and the merchant M state of the ledger. In bitcoin system, a new block of 0 0 generates a new key pair (pkM , skM ). They transactions will be embedded in the ledger around ev- send public key to all other participants. ery 10 minutes, and the state of the ledger will update accordingly. Transactions are not posted on the ledger Commitment phase: directly. Miners first add a transaction to a buffer if the 1) All participants must perform the commitment transaction is valid. After a certain time, all transactions scheme. Assume that the current time is t. This in the buffer will be posted on the ledger in sequence. phase ends at the time t + 2T . The bitcoins of transactions commit rom the merchant and customers are transferred to a default account. Par- 2) If hi = hj for i 6= j, the participants ofPi/Pj ticipants have an agreement that conditionally transfers abort protocol. some bitcoins to other party who can provide some spe- Execution phase: cial data in a transaction. We employ FLedger as a smart contract. Smart contract can keep data in a local mem- M 1) Consumer Pi posts transaction consumei on ory and change its local storage whenever a transaction the ledger using transaction Ci as input. If some is received. This bitcoin will not be transferred until a transactions are not posed on the ledger at the certain time. In the end, the bitcoins in the account may end of the time t + 3T . The merchant M signs be back to the party who initiated the transaction or send M appropriate transaction depositi and sends it to other participant. A detailed description of the process to ideal function FLedger. is as follows. 2) The merchant M posts the transactions All participants have access to function FLedger. Set open1, .., openn on the ledger and the consumer the parameter values for the function. There are con- M stant T, buffer and counter. The default setting is Pi posts the transaction openi on the ledger, respectively. Meanwhile, they reveal secrets. buffer := ξ, counter = 0 at the start of communication. The counter adds1 every T minutes. 3) If a transaction openi does not posted on the i i ledger within the time 4T , Pi signs deposit and Step 1: Upon receiving commit from the mer- M sends it to ideal function FLedger. This process chant and/or commiti from the consumer,where is the same for the merchant. i ∈ {1, .., n}. If V alidate(commit) = 1, commit ∈ i M {commit , commiti }, then set buffer : = buffer||commit. At counter = 1, received commit are listed as a table that is defined as List1, such as Our protocol is composed of three parts. Pre-condition 1 n M (commit ,P1), ··· , (commit ,Pn), (commiti ,Pi), ı ∈ phase prepares with all pre-protocol information, enough {1, .., n}. money and public messages. Commitment phase per- forms commitment scheme. Step 2 is to resist a copy at- Step 2: Upon receiving depositi from the merchant M tack in the execution phase. For example,Pi makes a com- and/or depositi , i ∈ {1, ··· , n} from the con- mitment to his hash hi then Pj promises with the same sumer. If V alidate(deposit) = 1, deposit ∈ i M hash hi = hj. Pj does nothing until Pi reveals his secret {deposit , depositi }, then set buffer := International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 77

Figure 1: The process of protocol’s transactions

M buffer||deposit. At counter = 2, received deposit is received. If vekM [sigM (V alidate(depositi ))] = 1 are listed as a table that is defined as List2, such as and Pi ∈ List1∩Pi ∈ List2∩Pi ∈ List3∩Pi ∈/ List4, 1 n M (deposit ,P1), ··· , (deposit ,Pn), (depositi ,Pi), i ∈ then sends x BTC(s) to the merchant and remove {1, .., n}. Pi from the List1, List2, and List3. Otherwise the M information is ignored. A consumer also performs Step 3: Upon receiving consumei from con- M a similar process if he/she does not get an effective sumer,where i ∈ {1, .., n}. If V alidate(consumei ) = i M open . 1, i ∈ 1, .., n, then set buffer := buffer||consumei . M At counter = 3, received consumei are listed Step 7: At counter = 6, BTCs which are belong to the as a table that is defined as List3, such as rest of Pi ∈ List3 are transferred to the merchant M M (consume1 ,P1), ··· , (consumen ,Pn), i ∈ {1, .., n}. and the coins of commit are returned to the party Step 4: During counter 3 to 4, a signed transaction that initiated the transaction. M sigM (depositi ), i ∈ {1, ··· , n} from the merchant M The contract storage can be used for function FLedger is received. If vekM [sigM (V alidate(depositi ))] = 1 to preserve account balances for each address. The bal- and Pi ∈ List1 ∩ Pi ∈ List2 ∩ Pi ∈/ List3, then sends ance of accounts has one feature that a certain amount x BTC(s) to the merchant and remove Pi from the of BTCs can be shelved. Once the function FLedger be- List1 and List2. gins, block timestamp and counter will be checked. The M participant requests the function F if he does not re- Step 5: Upon receiving openi from the con- Ledger sumer and/or openi from the merchant, where ceive or receive the wrong transaction information. The i ∈ {1, ··· , n}. If V alidate(open) = 1, open ∈ function FLedger solves the problem automatically. M i {openi , open }, then set buffer := buffer||open. At counter = 4, received open are listed as a table that is defined as List4, such as 5 Models (open1,P ), ··· , (openn,P ), (openM ,P ), i ∈ 1 n i i In bitcoin system, all transactions can be traced and {1, ··· , n}. every BTC can be traced back to the first block in which Step 6: During counter 4 to 5, a signed transaction BTC is created from the transaction. However, this does M sigM (depositi ), i ∈ {1, ··· , n} from the merchant not mean anonymity is lost. Public and private key pairs International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 78 are generated randomly in every new transaction, and it the block which contains the real transaction, but the ad- is difficult to known before they are produced. And an versary is still able to catch up with honest nodes.In this address is a hash of public key. Therefore, it is impossible case, we calculate the probability as follows. to recognize the true identity of the participant only from ∞ ( c−k the public transaction. To strengthen anonymity, the ad- X (qa/qh) if k ≤ c λke−λ/k! × (2) dress is updated for each new transaction in the protocol. 1 if k > c Meanwhile, every transaction contains the signature of a k=0 merchant or/and a consumer. The probability of forging Simplify the above Equation (2) leads to 1 − a signature is negligible [16,24]. It is difficulty to tamper Pc k −λ c−k k=0 λ e /k! × (1 − (qa/qh) ). The probability of with and/or forge a transaction. double spending can be ignored if the adversary fails to One of the main problems of electronic currency is dou- cheat at the beginning. Our protocol will confirm success ble spending because electronic sequence number can be of the transaction in the sixth block. Therefore, the prob- copied easily. There is no center node to monitor transac- ability of double spending can be ignored in the proposed tions to prevent the double spending. For overcoming this protocol. disadvantage, all transactions are broadcast. Then they can be verified by the nodes in the network. Through Then we discuss another property. An adversary cre- the P2P network, all nodes can keep a transaction chain ates a large number of false identities under his control and record the flow of transfer funds of transactions. The in the sybil attack. In order to attack our agreement, essence of bitcoin transaction records is currency trans- the adversary may create l consumers who perform the fer records. We can learn the source and destination of protocol. Firstly, the commitment scheme should be im- BTCs from the records. We set the participants can re- plemented and the deposit is necessary if he wants to get ceive the BTCs after verification of six nodes (that is to the desired information. This is contrary to the original say, about six blocks are formed.). Of course, the more intention for sybil attack. The adversary wants to get in- blocks you produce, the more secure the transactions can formation from the merchant or BTCs from the honest be. However, we cannot prevent duplicate payments of participant but does not want to pay any BTC. There- dishonest consumers. Some participants may wait until fore, the sybil attack does not work. On the other hand, the transactions are fully accepted by the network nodes the aim of the sybil attack is to break the fairness. In the before completion of the payment, but some careless par- BTC system, miner nodes employ themselves in proof of ticipants may be deceived. Once the payment is success- work computations to produce the block. The adversary ful, there are not relevant mechanisms which are used to wants to break the system. He needs to control at least recover the illegal transfer in the BTC system. There- a half of the computing power of total computing power fore, there is a possibility that a consumer will also pay which is the linked computing power of all the other hon- the same currency to different parties to form a double est participants of the protocol. To summarize, it is not payment. Now let us calculate the probability. helpful to the adversary by producing many false identi- Definition 1. An adversary can catch up with hon- ties. Pc k −λ Finally, fairness will be proved.We construct a encapsu- est miners with probability 1 − k=0 λ e /k! × (1 − c−k init div abt (qa/qh) ) when there are c blocks behind the block in late function E(G) and set three models G ,G ,G . which contains the real transaction. Specifically, Ginit guarantees that parties can participate in the protocol only if he has enough BTCs. Gdiv guaran- Proof. Supposing that q indicates the probability of find- h tees that the honest participants do not lose BTCs when ing the next block of honest nodes, q indicates the prob- a performing the protocol. Gabt guarantees that the hon- ability of finding the next block of adversaries and q indi- c est participants will obtain BTCs as compensation if they cates the probability that an adversary can catch up with do not receive the information or receive the wrong infor- honest nodes after c blocks. Obviously, mation. More specifically, the encapsulate function E(G) ( init 1 if qh qa ensures that G is true by checking global setup af- q = 6 (1) c (q /q )c if q > q ter receiving information from participants. If validation a h h a passes, the next step is executed.Otherwise, protocol is qc decreases exponentially with the increasing number of terminated. At the same time, E(G) is useless if there div new blocks if qh is greater than qa. The probability of are not enough BTCs to execute the protocol. G s success is smaller with the increasing of the block if an satisfied when the dishonest participants have a negative adversary does not succeed at the beginning. An honest financial balance. Gabt is met when honest participants participant is waiting the transaction which is added to a have a positive financial balance. Anyhow, any input will block and might even be c blocks behind it. However, he be ignored if the requirements are not met in the model. does not know how many blocks an adversary had gener- The input of function UC should be given with a high ated. It is assumed that the speed at which honest nodes priority. UC is a local function (for more info please re- generate block is the same as that of the blockchain. Then fer [7,19]). A participant can obtain resource setup which the progress of an adversary is consistent with Poisson dis- contains updated public and private keys. Resource setup tribution that is λ = c(qa/qh). There are c blocks behind is associated with global ledger by generating algorithm International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 79

Gen {(0, 1)∗}2 ← 1∗. Then public key is broadcast and Definition 2. Let π be a probabilistic non-uniform poly- the simulator receives public and private keys. The spe- nomial time (PPT) protocol.We say that π achieves fair- cific description of the encapsulate function is given. ness with global ledger defined as G if the status of follow- The function E(G) interacts with the merchant M, ing statement is correct.Let Π be a non-uniform PPT pro- consumers Pi, i ∈ {1, .., n}, the adversary S, the local tocol in (G, E(G)) hybrid model. For every non-uniform function UC and the environment Z.There are three mod- PPT real word adversary A attacking π there exists a non- els Ginit,Gdiv,Gabt, and there is a generate algorithm uniform PPT ideal word simulator S so that for every {(0, 1)∗}2 ← 1∗ for generating resource setup. It is a one- non-uniform PPT environments Z it holds. way process that transactions are posted on the ledger. G,E(G) G The ledger has two output transfer models, that is, fair IDESΠ,S,Z ≈ REALπ,A,Z (3) transfer model and delay transfer model. The function Proof. By the conditions described above, π achieves fair- E(G) also has an indicator bit c which is set to 0 at the 0 0 beginning. c is used to indicate whether information sent ness with G. We hold ∀A , ∃S that leads to ∀Z. by the adversary S to UC is blocked. G,E(G) G IDESS0,Z0 ≈ REALπ,A0,Z0 (4) • Setup. The algorithm Ginit,Gdiv,Gabt generates re- Next, let us prove Equation (4). The proof process is source setup which is needed in every new transac- similar to [19]. First, let us start with an introduction tion. G to REALπ,A,Z . Suppose that L is a polynomial upper bound value of many specific examples of π and let π(l) • Once receiving information N from UC to its simu- represents l − th reproduce of protocol π. Suppose adver- lator, if c = 0 sends N to S. saries A = (AΠ,Aπ(1),Aπ(2), ··· ,Aπ(L)), let Aπ(l)) rep- • Once receiving information N from S if c = 0 sends resent an interact with the l − th reproduce of protocol N to UC as information from the simulator. π. And the environment supplies input to the protocol Π and obtains the corresponding output result from proto- col Π. Meanwhile, the input and output of subroutines • Once receiving a transaction commit from M/Pi, posts it to global ledger. If Ginit is not satisfied(e.g. π(l) are provided by protocol Π. Then let us show that G,E(G) BTCs are not enough, transaction has redeemed, ad- (G, E(G)) hybrid model performs IDESΠ,B,Z . Suppose dress is inconsistent, etc.) then set c = 1. E(G)[l] represents l − th reproduce of the function E(G). Q Q Q Q Also, we define the B = (A ,S (1),S (2), ··· ,S (L)), Q • Delay output. Once receiving information from UC where every S (l) is an interact with the l − th examples marked (delay, sid, N, Pi) send N to M/Pi by delay of function E(G). Similarly, the environment supplies in- output. put to the protocol Π, and the input of subroutines of Π is supplied by Π. It is no doubt that all examples of • Fair output. Once receiv- protocol are allowed to contact global ledger. ing information from UC marked Through the above, we say that ideal world and real (fair, sid, obj, (m, P1), ··· , (m, Pi), (m1,P1), ··· , (m ,P )), (m ,S)), it sends (sid, obj, P , ··· ,P , m ) world are indistinguishable in the mixed argument. The i i s 1 i s l to S. mixed is defined as Mix . In order to describe the conve- nience, Mixl are given as following. • Fair delivery. Messages (delivery, sid, obj) are re- Suppose Πl expresses an example of the protocol Π. ceived from S then the information (obj, ...) will be sent to S by doing the following.Each pair • l − 1 examples of the protocol Π,defined (m, P/M) is associated with the obj, and sets π(1), ··· , π(l − 1). Hd = {(m, P/M)|P/M is honest}. It forwards • L − l + 1 examples of the function E(G), defined {(m, P/M)|P/M is corrupted} to S. If the P/M in E(G)[l], ··· ,E(G)[L]. the Hd is corrupted on the way, then sends the cor- rupted (m, P/M) to S. Next, perform the following Suppose Al expresses the reproduction of the following operations. adversary.

Π Remark 1. Once input information (m, P/M) from S • A ; π and the obj has the pair (m, P/M) ∈ Hd. Then the infor- • l − 1 examples of the protocolA ,defined mation is posted on the ledger.The information is ignored Aπ(1), ··· ,Aπ(l−1). if Gdiv is wrong. Otherwise, remove (m, P/M) from H . d • L − l + 1 examples of the simulator Sπ, defined π(l) π(L) Remark 2. Once abort information (m, P/M) from S S ,S . and the obj has the pair (m, P/M) ∈ Hd. Then the infor- Suppose B¯ contains l reproductions of adversaries and mation is posted on the ledger.The information is ignored l reproductions of protocol(/function) examples. Define abt if G is wrong. Otherwise, removes (m, P/M) from Hd. B0 contains l − th reproduction of adversary A and l − th International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 80 reproduction of protocol (/function) example. B¯ equals topology and sequential topology. There is no doubt that Mixl if A = Sπ(l) and π = E(G)[l]. B¯ equals Mixl+1 if our protocol is easier to apply to mesh topology. The A = Aπ(l) and π = π(l). Next, we assume that Mixl and process of applying our protocol to hybrid topologies is Mixl+1 are indistinguishable. similar.

Lemma 1. The output between Mixl and Mixl+1 (ad- jacent mixtures)is indistinguishable for non-uniform PPT 7 Protocol Comparison environments Z, where l ∈ {1, .., L}.

Proof. We assume that a non-uniform PPT environment Every multi-party exchange protocol is dependent on Z can show the difference between Mixl and Mixl+1. different technologies. We define the MFE to be the tra- G G ditional multi-party fair exchange and MPCS to be the In other words, IDEALΠl,Al,Z 6≈ IDEALΠl+1,Al+1,Z . In this case, it is assumed that Z can simulate all interactive traditional multi-party contract signing. Recently, re- behaviors except for the l − th subroutine. searchers have proposed some multi-party fair exchange We can learn that IDEALG can be protocols based on bitcoin. The literatures [10,20] are tra- Πl+1,Al+1,Z ditional multi-party protocols, and the literatures [1, 5] represented by IDEALG . By the same rea- Sπ(l),Zl are multi-party protocols based on bitcoin. In Table 3, G son, IDEALΠl+1,Al+1,Z can be represented by the efficiency and some features are compared between G REALπ,Aπ(l+1),Zl . On the basis of discussion above, the proposed protocol and some related protocols. For G G a fair comparison, the data should be calculated under we see thatIDEALΠl,Al,Z 6≈ IDEALΠl+1,Al+1,Z . the same security conditions. Therefore, these data are Then IDEALG,E(G) 6≈ REALG . However, Sπ(l),Zl π,Aπ(l),Zl collected under mesh topology. However, each protocol G,E(G) G based on the Eq.(4) IDEALS0,Z0 ≈ REAlπ,A0,Z0 . solves the dispute in different ways. It is difficult to mea- They are contradicted. It shows that our hypothesis sure with the same standard. Accordingly, these data in G G IDEALΠl,Al,Z 6≈ IDEALΠl+1,Al+1,Z is wrong. Table 3 are collected in optimistic situation, that is, all To summarize, the Mixl and Mixl+1 are indistin- participants are honest and no network problems. guishable for non-uniform PPT environments Z, where n is the number of participants. In [5], n = 2L, x ∈ l ∈ {1, ...L}. The lemma is proved. {1, ...L−1} and the mix topology means mesh and sequen- tial topologies. Message shows the number of signatures l G,E(G) l+1 Obviously, theMix equals IDEALΠ,Al,Z , and Mix on information which is produced by each partyPi, i ∈ G l l+1 {1, ...n}. In the form of A/B, A represents the transmis- equals to REALπ,A,Z . Through Mix ≈ Mix , where 1 2 sion and message of the general participant and B stands l ∈ {1, ··· ,L}.We can obtain Mix ≈ Mix ≈ ··· ≈ l l+1 G,E(G) G for transmission and message of winner. Mix ≈ Mix , that is, IDESΠ,Al,Z ≈ REALπ,A,Z . The Definition 2 is proved. That is, our protocol provides Draper-Gil et al. [10] presents a MPCS protocol for dif- fairness. ferent topologies. In their paper, n rounds are required to obtain the signature because the participants generate a partial signature per round. H. Kılın¸c, et al. [20] pro- 6 Other Topology pose a MFE protocol that requires constant round. The transmission of mesh topology is o(n2) which is less than Following the same way, we extend the proposed pro- o(n3) of [10]. Compared efficiency with protocols [10,20], tocol to any topology. Participants send and receive mes- the number of transmissions and messages is less than sages sequentially in ring topology and sequential topol- our proposed protocol. Meanwhile, our proposed protocol ogy. However, participants have no order in star topology only requires constant round. What’s more, the proposed and mesh topology. First, we discuss the circumstances in protocol does not have a center (TTP). which participants need to execute protocol in sequence. Andrychowicz et al. [1] and M. Bartoletti, et al. [5] All transactions are publicly visible on the ledger and propose multi-party exchange protocols based on bitcoin. participants also have some offline communications, such The protocol in [5] is a mix topology of mesh and sequen- as negotiating the deposit and maximum delay time et tial, and the protocol in [1] is a mesh topology. However, al.Now the order of participants is also agreed offline. the protocol in [5] obtains the winner by n − 1 two-party That is, the transaction of the latter participant appears matches so that rounds match are needed. By comparing on the ledger unless the transaction of the former partici- efficiency with protocols in [1,5], the message in our pro- pant appears on the ledger. Order of participants, deposit tocol and the protocol in [1] is basically the same but it and the delay time of the transaction et al. may vary in is less than the protocol in [5]. The transmission of our different protocols. Meanwhile, the number of copies of protocol is less than the protocol in [1] but it is more than the deposit is determined by the participants involved (A the protocol in [5]. Participants decrease exponentially as deposit is required between participants who exchange in- the round number increases in the protocol in [5] but the formation directly) in the transactions. Obviously, these number of participants is constant in each round in our issues are easy to solve. If the above problems have been protocol. Nevertheless, the proposed scheme can be ap- resolved, our proposed protocol can be applied to ring plied to any topology and the protocols in [1, 5] do not International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 81

Table 3: Comparison of the proposed protocol with previous protocol Protocol Technique Topology TTP Number of rounds Transmission(mesh) Message(mesh) [10] MFE Any Yes n n2(n − 1) (n − 1)2 + 1 [20] Bitcoin Mesh No Constant 4n2 + 3n + 3 or 2n/2n + 1 4n2 + 2n + 2 [1] MPCS Any Yes Constant 5n(n − 1) 5n(n − 1) [5] Bitcoin Mix No L 2n + 7 × 2L−1 − 8 2n + 1 + 6x or 2n+6L-1 our Bitcoin Any No Constant n2 + 4n − 2 2n

apply to. References In summary, our protocol provides more properties, [1] M. Andrychowicz, S. Dziembowski, D. Malinowski, that is, applicable to any topology,constant round and and L. Mazurek, “Secure multiparty computations on no center are simultaneously satisfied. So far there has bitcoin,” in IEEE Symposium on Security and Pri- been no protocol to meet these properties at the same vacy, pp. 443-458, May. 2014. time. Efficiency has also been improved except for the [2] M. Andrychowicz, S. Dziembowski, D. Malinowski, transmission of the protocol in [5]. andL, Mazurek, “Modeling bitcoin contracts by timed automata,” in Formal Modeling and Analysis of Timed System, pp. 7-22, Sept. 2014. [3] A. Back, and I. Bentov, Note on Fair Coin Toss via 8 Conclusions Bitcoin, 2013. (https://arxiv.org/abs/1402.3698) [4] C. Badertscher, U. Maurer, D. Tschudi, and V. Zikas, Fairness is one of the most fundamental properties that Bitcoin as a Transaction Ledger: A Composable Treat- need to be addressed by all exchange protocols. How- ment, Aug. 2017. (https://eprint.iacr.org/2017/ ever, we use the deposit instead of a third party to en- 149.pdf) sure fairness. It avoids some problems which are caused [5] M. Bartoletti, and R. Zunino,“Constant-deposit mul- by the third party. The proposed protocol is a hybrid tiparty lotteries on bitcoin,” in Bitcoin and Block model without center. It can not only achieve fairness Chain Bibliography, pp. 231-247, 2017. and security but also can automatically execute the pro- [6] K. Beekman, “A denial of service attack against fair tocol within a limited time. As far as we know, no other computations using bitcoin deposits,” Information fair exchange protocol offers the specific process of the Processing Letters, vol. 116, no. 2, pp. 144-146, 2016. smart contract in the hybrid model. Moreover, we have [7] I. Bentov, and R. Kumaresan, “How to use bitcoin shown a fair exchange protocol which is suitable for vari- to design fair protocols,” Lecture Notes in Computer ous topologies with small modifications. So far, there are Science, vol. 8617, pp. 421-439, Aug. 2014. few researches on the topological structure based on bit- [8] J. Bonneau, A. Miller, J. Clark, and A. Narayanan, coin. These problems have been studied in our paper at “SoK: Research perspectives and challenges for bit- the same time. However, the merchant gets the BTCs of coin and cryptocurrencies,” in IEEE Symposium on the consumers in about an hour (6T ). And the deposit is Security and Privacy, pp. 104-121, May 2015. returned in about an hour. The cost is a slightly longer [9] T. Y. Chang, M. S. Hwang, and W. P. Yang,“An im- time to transactions. This is a problem for the proposed proved multi-stage secret sharing scheme based on the protocol. How to shorten transactions time is our future factorization problem,” Information Technology and work. Control, vol. 40, no. 3, 2011. [10] G. Draper-Gil, J. L. Ferrer-Gomila, M. Francisca Hinarejos, and J. Y. Zhou, “On the efficiency of multi- party contract signing protocols,” in 18th Interna- tional Conference (ISC’15), pp. 227-243, Sep. 2015. Acknowledgments [11] Z. Eslami, M. Noroozi, and S. K. Rad, “Provably secure group key exchange protocol in the presence of This work was supported in part by the National dishonest insiders,” International Journal of Network Key Research and Development Program of China Security, vol. 18, no.1, pp. 33-42, 2016. (No.2016YFB0800601), the Natural Science Foundation [12] J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin of China (No.61303217, 61502372), the Natural Sci- backbone protocol: Analysis and applications,” Lec- ence Foundation of Shaanxi province (No.2013JQ8002, ture Notes in Computer Science, vol. 9057, pp. 281- 2014JQ8313). 310, Apr. 2015. International Journal of Network Security, Vol.21, No.1, PP.71-82, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).09) 82

[13] S. Goldfeder, J. Bonneau, R. Gennaro, and [25] T. Ruffing, and A. Kate, “Liar, liar, coins on fire!: N. Arvind, ”Escrow protocols for cryptocurrencies: Penalizing equivocation by loss of bitcoins,” in Pro- How to buy physical goods using bitcoin,” in Bitcoin ceedings of the 22nd ACM SIGSAC Conference on and Block Chain Bibliography, pp. 321-339, 2017. Computer and Communications Security, pp. 219-230, [14] O. Goldreich, S. Micali, A. Wigderson, ”How to play Oct. 2015. any mental game or a completeness theorem for proto- [26] Y. Sun, H. F. Zhu, and X. S. Feng, “A novel and cols with honest majority,” in Proceedings of the 19th concise multi-receiver protocol based on chaotic maps Annual ACM Symposium on Theory of Computing, with Privacy Protection,” International Journal of pp. 218-229, Jan. 1987. Network Security, vol. 19, no. 3, pp. 371-382, 2017. [15] E. Heilman, F. Baldimtsi, and S. Goldberg, “Blindly [27] A. C. Yao,“Protocols for secure computations,” in signed contracts: anonymous on-blockchain and off- Foundations of Computer Science, pp. 160-164, Nov. blockchain bitcoin transactions,” in International 1982. Financial Cryptography Association, pp.43-60, Feb. [28] Y. F. Yao and F. H. Yu,“Privacy-preserving similar- 2016. ity sorting in multi-party model,” International Jour- [16] R. J. Hwang, and C. H. Lai, “Provable fair docu- nal of Network Security, vol. 19, no. 5, pp. 851-857, ment exchange protocol with transaction privacy for 2017. e-commerce,” Symmetry, vol. 7, no. 2, pp. 191-196, [29] S. W. Zheng, Credit Model Based on P2P Electronic 2015. Cash System Bitcoin, School of Information Security [17] M. H. Ibrahim, ”SecureCoin: A robust secure and Engineering Shanghai Jiao Tong University, 2011. efficient protocol for anonymous bitcoin ecosystem,” International Journal of Network Security, vol. 19, no. 2, pp. 295-312, 2017. Biography [18] A. Juels, A. Kosba, and E. Shi, “The ring of gyges: Using smart contracts for crime,” in Memento Com- Lijuan Guo received the BS degree in Mathematics and puter and Communication Science, pp. 40-54, 2015. Applied Mathematics from Changzhi University in 2015. [19] A. Kiayias, H. S. Zhou, and V. Zikas, “Fair and ro- She is currently working toward the M.S. degree in School bust multi-party computation using a global transac- of Mathematics and Statistics from Xidian University. tion ledger,” Lecture Notes in Computer Science, vol. Her research interests include information security, fair 9666, pp. 705-734, May 2016. exchange protocol, blockchain. [20] H. Kılın¸c,and A. K¨up¸c¨u,“Optimally efficient multi- Xuelian Li received her PhD degree of Cryptography in party fair exchange and fair secure multi-party com- December 2010 at Xidian University. Currently, she is putation,” Lecture Notes in Computer Science, vol. currently an associate professor at School of Mathematics 9048, pp. 330-349, Apr. 2015. and Statistics, Xidian University. Her research interests [21] S. Lal and M. L. Das, “On the security analysis of include information security, fair exchange protocol, cryp- protocols using action language,” International Jour- tographic functions and stream ciphers. nal of Electronics and Information Engineering, vol. 2, no. 1, pp. 1-9, 2015. Juntao Gao received his PhD degree of Cryptogra- [22] H. Pagnia, H. Vogt, and F. C. G¨artner,“Fair ex- phy in December 2006 at Xidian University. He is cur- change,” Computer Journal, vol. 46, no. 1, pp. 55-75, rently an associate professor at School of Telecommuni- 2003. cations, Xidian University. He is also a member of Chi- [23] M. Patrick, M. Malter, F. Siamak, Shahandasti, and nese Association for Cryptologic Research. His research F. Hao, “Towards bitcoin payment networks,” Lecture interests include information security, stream cipher and Notes in Computer Science, vol. 9722, pp. 57-76, July cryptographic functions, pseudorandom sequences and 2016. blockchain. [24] R. Rivest, and B. Kaliski,“RSA problem,” in Ency- clopedia of Cryptography and Security, pp. 532-536, 2005. International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 83

Medical Image Encryption Scheme Based on Multiple Chaos and DNA Coding

Joshua C. Dagadu1, Jianping Li1, Emelia O. Aboagye1 and Faith K. Deynu2 (Corresponding author: Joshua C. Dagadu)

School of Computer Science and Engineering, University of Electronic Science and Technology of China1 School of Communication and Information Engineering, University of Electronic Science and Technology of China2 No. 2006, Xiyuan Ave. West Hi-Tech, Chengdu 611731, China (Email: [email protected]) (Received Sept. 4, 2017; revised and accepted Nov. 28, 2017)

Abstract data encryption standard (DES) and advanced encryp- tion standard (AES) have been employed in encrypting The combination of chaos and deoxyribonucleic acid medical images [20], these schemes have not been found (DNA) coding for image encryption in recent times has very efficient due to certain intrinsic properties of images proven to provide robust security for images. In this including high redundancy, bulk data capacity and high paper, an encryption scheme based on multiple chaos correlation among adjacent pixels [1, 28]. Consequently, and DNA coding is proposed for gray scale medical im- chaos based schemes have been extensively proposed in ages. The chaotic tent map is used to generate chaotic current research [6, 12, 16, 18]. key stream and the logistic map is used to randomly Chaotic systems exhibit random behavior and have in- select DNA encoding and decoding rules. The chaotic herent features such as ergodicity, unpredictability and key and the plain medical image are first encoded into sensitivity to initial conditions. A chaotic dynamical sys- DNA sequences. A selected DNA algebraic operation tem is not predictable and resembles noise [29]. This pro- (addition/subtraction/XOR) is carried out between the vides a close relationship between chaotic dynamical sys- plain image DNA sequence and the key DNA sequence; tems and cryptosystems. The sensitivity to initial condi- the outcome is then decoded to obtain the cipher image. tions property of chaos is used for keys in cryptosystems The process is carried out both on row and column bases while the topological transitivity property which ensures to achieve a robust cipher. The initial experimental re- the ergodicity of chaos maps, is linked to the diffusion sults show that the scheme demonstrates strong resistance feature of cryptosystems [22]. This has led to the use of against diverse forms of attacks. chaos maps in numerous image encryption schemes [4,6]. Keywords: DNA Coding; Encryption; Logistic Map; Med- However, chaos-based encryption does not always pro- ical Image; Tent Map vide a high degree of security [5,23,38], due to weak diffu- sion functions, weakness against chosen and known plain- text attacks and poor statistical properties of some chaos 1 Introduction maps [8, 13, 24]. The quest for more robust image cryp- tosystems has resulted in the combination of chaos maps The advent of remote healthcare delivery, fueled by mod- and other algorithms such as cellular automata [31, 32], ern technologies such as telemedicine, telesurgery and DNA coding [15, 19, 35] and other forms of combina- teleradiology exposes medical data, not excepting med- tions [12, 16, 33] for image encryption schemes. ical images, to security vulnerabilities; as these images DNA has been applied to chaotic systems recently due are transmitted over public digital communication net- to its properties such as huge storage, massive parallelism works [21] and are stored in networked storage facilities to and low power consumption [40]. The chaotic tent map be used for clinical interpretation and diagnosis. Schemes was explored for a cryptosystem recently [17]. It is found used in securing medical images are expected to achieve to have high complexity and the sequences generated have high degrees of resistance against security attacks without high randomness. Besides, it is highly sensitive to changes compromising the diagnostic quality of the images after in the initial condition. In [17], it was applied directly to decryption. This is because alterations made to medical the plain image to produce the cipher image. Obviously, images during processing, may result in irreversible wrong with such a scheme, once the initial condition and control diagnostic consequences. Though the conventional en- parameter are known by an adversary, it is easy to break. cryption schemes such as Rivest-Shamir-Adleman (RSA), In this paper, we combine the chaotic tent map with DNA International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 84 coding to encrypt medical images. We first generate the 2.2 Tent Map initial condition of the tent map and produce the encryp- The tent map is one of the simplest chaotic maps. It tion key using the map. We then apply randomly selected is a one-dimensional and piecewise linear map [14]. The DNA encoding/decoding rules and DNA algebraic opera- chaotic behaviors of this map were studied in terms of the tions to produce the cipher image. unchanging density and the power spectrum over its entire The rest of the paper has the following organization: chaotic region in [39]. It was realized that as the height In Section 2, we give overviews of logistic map, tent map of the maximum is reduced, band-splitting change pro- and DNA coding. We present our proposed scheme in cesses that follow in an uninterrupted sequence occur in Section 3, discuss experimentation and results in Section 4 the chaotic region and accumulate to the transition point and finally conclude in Section 5. into the non-chaotic region. The map is topologically con- jugate, thus its behaviors are in this sense, identical under iteration [17]. It is mathematically expressed as: 2 Preliminaries xn+1 = f (xn, r) , (2) We give overviews of the chaos maps (logistic map and  fL (xn, r) = rxn, if xn < 0.5 tent map) and DNA coding in this section. f (xn, r) = (3) fR (xn, r) = r (1 − xn) , otherwise

where xn ∈ [0, 1] for n ≥ 0. The map transforms an 2.1 Logistic Map interval [0, 1] onto itself and has only one control param- The logistic map is a polynomial mapping of degree 2. eter r contained in it; where r ∈ [0, 2]. x0 is the initial It is often cited as a typical example of how very sim- condition of the chaotic map and the set of real values ple nonlinear dynamical systems can result in complex x0, x1, ··· , xn, ··· are the orbits of the system [17]. chaotic behaviors [7]. It is one of the simple systems Depending on r, the system exhibits a range of behav- that exhibit order to chaos transition and possesses many iors from predictable to chaotic. When 1000 r values from properties required of a pseudorandom number generator r = 0.1 to r = 2 with x0 = 0.03 are plotted, it results in (PRNG) [25]. The main criterion that distinguishes dif- the distribution shown in Figure 2. ferent PRNGs is usually the quality of randomness. More- over, the quality of randomness, implementation cost and throughput are essential factors to evaluate the effective- ness of PRNGs in applications [9]. For the largest value of its control parameter, the logistic map has the ability to generate an infinite chaotic sequence of numbers. When compared to the usual congruential random generators which are periodic, the logistic random number generator is infinite, aperiodic and not correlated [3]. It is mathematically given as:

xi+1 = uxi (1 − xi) , (1) where u ∈ (0, 4), x ∈ (0, 1) and i is the iteration. The logistic map is in a chaotic condition when the control Figure 2: Tent map with r values from 0.1 to 2 parameter is [3.57, 4.0] as shown in Figure 1. When 1000 r values from r = 1.999999 to r = 2 with x0 = 0.03 are plotted, it results in the distribution shown in Figure 3.

2.3 DNA Coding DNA sequence has become extremely useful for basic bi- ological research and in diverse applied fields such as di- agnostic, forensics and biological systematics [11], not ex- cepting computer science. DNA sequence composes four bases: Adenine (A), Thymine (T), Guanine (G) and Cy- tosine (C). Among these bases, A and T are complemen- tary to each other, while G and C are complementary to each other [27]. That is, the purine Adenine always pairs Figure 1: Bifurcation diagram of the logistic map with the pyrimidine Thymine and the purine Guanine al- ways pairs with the pyrimidine Cytosine, according to the International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 85

Table 1: Watson crick’s complementary rule 1 C(00) G(11) A(01) T(10) 5 A(00) T(11) C(01) G(10) 2 C(00) G(11) A(10) T(01) 6 A(00) T(11) C(10) G(01) 3 G(11) C(00) A(01) T(10) 7 A(11) T(00) C(01) G(10) 4 G(11) C(00) A(10) T(01) 8 A(11) T(00) C(10) G(01)

Table 3: DNA XOR operation XOR AGCT A AGCT G GATC C CTAG T TCGA

Table 4: DNA addition + AGCT Figure 3: Tent map with r values from 0.999999 to 2 A AGCT G GCTA C CTAG rules of base pairing by Watson and Crick [37] as shown T TAGC in Table 1. In the binary system, 0 and 1 are complementary; sim- ilarly, 00 and 11 are complementary, 01 and 10 are also Table 5: DNA subtraction complementary. Mapping the two-bit binary system to the DNA bases, 24 rule sets can be obtained [27]. Among - AGCT these 24 rules, only 8 satisfy the Watson-Crick base pair- A ATCG ing rules. A can only bond with T and C can only bond G GATC with G. Based on this, DNA-based computing uses only C CGAT 8 sets of encoding and decoding rules [34] as shown in T TCGA Table 2.

Table 2: DNA coding rules used to decode it would give a different binary value. Tak- ing two DNA sequences (ATTC) and (GAGT), applying Rules ATCG one type of addition operation on them would result in Rule 1 00 11 01 10 (GTAG). Subtracting (GAGT) from (GTAG) would give Rule 2 00 11 10 01 back (ATTC). Rule 3 01 10 00 11 Rule 4 10 01 00 11 Rule 5 01 10 11 00 Rule 6 10 01 11 00 Rule 7 11 00 01 10 3 The Proposed Scheme Rule 8 11 00 10 01 The block diagram of the proposed scheme is given in Some algebraic operations can be performed on DNA Figure 4. The user inputs the plain medical image and sequences. Tables 3, 4 and 5 show the XOR, addition and an initial key string of 16 ASCII characters. This key subtraction operations respectively. In order to enhance is preprocessed to generate the initial conditions of the the diffusion phase in encryption, these operations are two chaos maps. The logistic map is used to select the employed. DNA encoding and decoding rules while the tent map is Using the DNA coding, each 8-bit pixel of a gray scale used to generate the pseudorandom key stream. Both the image can be expressed as a DNA sequence of length 4. image and key stream are encoded into DNA sequences Taking a pixel of gray level 150 for instance, its 8-bit bi- followed by a DNA algebraic operation between them. nary sequence is (10010110). Using DNA encoding rule The resultant sequence is decoded to produce the cipher 4 from Table 2, (ATTA) is obtained. Decoding (ATTA) image. The encryption phase is carried out on both row with the same rule 4 gives (10010110). Any other rule and column bases as in [36]. International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 86

Figure 4: Block diagram of proposed scheme

3.1 Key Generation Step 9: The chaotic sequence (X = {x1, x2, x3, ··· , xMN }). For each xi ∈ X, convert into in- Step 1: Enter a key length of 16 ASCII characters made teger sequence to generate the key image Q = up of 128 bits {Q1,Q2,Q3, ··· ,QMN } as K = K ,K ,K , ··· ,K (4) 14

1 2 3 16 Qi = mod floor xi × 10 , 256 (10)

where Ki = b1, b2, ··· , b8 and i = 1, 2, ··· , 16. where Qi ∈ Q. Step 2: Convert the first 8 characters of K into their hexadecimal form 3.2 Encryption Step 1: Read in the plain medical image I. α = h1, h2, ··· , h16 (5) Step 2: Get the dimensions M and N of I and use to generate the key image as described in Section 3.1. Step 3: Add the hexadecimal values as

Step 3: Using the initial condition x0 generated as in 16 !, X Section 3.1 and parameter u ∈ [3.57, 4], which is user x = (h ) 256 (6) 1 i 10 defined, iterate equation 1 ( i.e. the Logistic map) i=1 M times to obtain new values of x. Step 4: Convert the last 8 characters of K into binary Step 4: For each iteration, preprocess x as form as X = floor (x × 7) + 1. (11) β = b1, b2, ··· , b64 (7)

Step 5: Add the binary values β as Step 5: Select the DNA encoding rule corresponding to X and encode all the pixels on the row with the se- 64 !, lected rule to obtain the DNA sequence of the plain X i
64 x2 = bi × 2 2 (8) medical image. i=1 Step 6: Repeat Steps 3 to 5 for the key image to get the Step 6: Get the initial condition as DNA sequence of the key image Q. Step 7: Select the DNA algebraic operation (⊕/ + /−) x = mod ((x + x ) , 1) (9) 0 1 2 using Y = floor (x × 3) + 1. (12) where x0 ∈ [0, 1] (suitable for both logistic and tent maps). Step 8: Perform the selected operation Y between the corresponding rows in the plain image DNA sequence Step 7: Choose the control parameter r for the tent map, and the key DNA sequence to get I0. where r ∈ [0, 2]. Step 9: Decode I0 on row basis using selected decoding Step 8: Using x0 and r, iterate Equation (3) (i.e. the rules as in Step 5 to get φ0. tent map) MN times to generate the pseudorandom bit sequence X where M and N are the dimensions Step 10: Repeat Steps 3 to 9 on column basis of φ0 to of the medical image. produce the cipher medical image φ. International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 87

The decryption process works similar to the encryption (a) (b) process in the reverse order with the DNA reverse oper- ations, taking in as input, the same initial key string of 16 ASCII characters, the control parameters of the chaos maps and the cipher image.

4 Experimentation and Results (c) (d) 6000 4.1 Experimental Setup 600

The experiment is carried out on a personal computer 4000 400 with Intel core i5, 2.6GHz CPU, 4GB memory, windows 10 and MATLAB 2016b. A number of gray scale med- 2000 200 ical images of diverse modalities and sizes are used in the experiment. Four of the images: CT scan and MRI 0 0 images with dimensions (256×256), and X-ray and Ultra- 0 100 200 0 100 200 sound images with dimensions (512 × 512) are presented Figure 5: Histograms of plain and encrypted CT scan in this paper. For our experiment, we use an external images. (a) Plain image, (b) Cipher image, (c) Histogram key K =0 D3A4C1CB687EAF 8C0 to generate the initial of plain image, (d) Histogram of cipher image. condition x0 of both chaos maps. Control parameters r of 1.999999 for the tent map and u of 3.99999999 for the logistic map are used. Correlation analysis, histogram (a) (b) analysis, key space and information entropy are the eval- uation metrics used to assess the security strength of the proposed scheme.

4.2 Histogram Analysis An efficient image cryptosystem should have a uniform histogram distribution so as to make it impossible for at- (c) (d) tackers to extract any meaningful information from the 600 encrypted image; since the image histogram reveals the 2000 400 pixel value distribution within the image. 1000 Figures 5, 6, 7 and 8 show the histogram plots for our 200 test images. It is evident from these plots that the pro- posed scheme uniformly distributes pixel values in the ci- 0 0 pher images hence has the capability to resist cipher only 0 100 200 0 100 200 attacks. Figure 6: Histograms of plain and encrypted MRI images. (a) Plain image, (b) Cipher image, (c) Histogram of plain 4.3 Correlation Analysis image, (d) Histogram of cipher image. The correlation coefficients of adjacent pixels of an image provide information about the image. In images, the hor- where x and y are the gray scale values of two adjacent izontal, vertical and diagonal correlations between pixels pixels of the image, D (x) is the variance, cov (x, y) is the are high. Encryption algorithms must reduce these rela- covariance and E (x) is the mean. We randomly select tionships among the adjacent pixels in the cipher image. 2000 pairs of adjacent pixels from both original and en- The correlation coefficients among adjacent pixels is cal- crypted images and calculate their horizontal, vertical and culated with following equations: diagonal correlation coefficients. It is evident from Table 6 1 XN and Figure 9 that that the proposed scheme adequately E (x) = xi N i=1 breaks the correlation among adjacent pixels; hence is ro- 1 XN 2 bust enough against statistical attacks. D (x) = (xi − E (x)) N i=1 1 XN cov (x, y) = (xi − E (x)) (yi − E (y)) N i=1 4.4 Information Entropy cov (x, y) rxy = q Information entropy is a mathematical property that re- D (x) × pD (y). flects the randomness and the unpredictability of infor- International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 88

(a) (b)

(c) (d) 4000 2000 3000

2000 1000 1000

0 0 0 100 200 0 100 200

Figure 7: Histograms of plain and encrypted X-ray im- ages. (a) Plain image, (b) Cipher image, (c) Histogram Figure 9: Correlation between adjacent pixels of plain and of plain image, (d) Histogram of cipher image. cipher X-ray images

(a) (b)

where N is the total number of symbols mi ∈ m; p (mi) denotes the probability of occurrence of symbol mi and log represents the base 2 logarithm. It measures the ran- domness of the encryption. If there are 256 possible out- comes of the 8-bit message m with equal probability, the message source is said to be random in which case H (m) is equal to 8; the ideal situation. As seen from Table 7, (c) (d) the entropy values of all test images are very close to the 6000 ideal value giving an indication that there is negligible 2000 information leakage during encryption hence strong resis- 4000 tance against entropy attacks. 1000 2000 Table 7: Information entropy 0 0 0 100 200 0 100 200 Test Image Information Entropy Original Image Cipher image Figure 8: Histograms of plain and encrypted ultrasound CT (256 × 256) 3.985490 7.997302 images. (a) Plain image, (b) Cipher image, (c) Histogram MRI (256 × 256) 5.604739 7.997444 of plain image, (d) Histogram of cipher image. Ultrasound (512 × 512) 7.032954 7.999336 X-Ray (512 × 512) 7.332680 7.999365 Table 6: Correlation coefficients of adjacent pixels Test image Format Correlation Coefficients Horizontal Vertical Diagonal 4.5 Key Space CT (256 × 256) Original 0.975312 0.974458 0.955728 Cipher -0.001043 0.000512 0.003564 The control parameters and the initial value used for the MRI (256 × 256) Original 0.963534 0.965572 0.941237 logistic map and the tent map to generate the pseudoran- Cipher -0.009193 -0.004846 -0.001906 Ultrasound (512 × 512) Original 0.998894 0.998637 0.997181 dom bits form the set for the key space. We generated Cipher -0.001084 0.000350 0.002023 the initial condition from an external input key of size 128 X-Ray (512 × 512) Original 0.998516 0.996325 0.994887 bits. The computational precision of the 64-bit double Cipher -0.001091 0.000924 0.002773 precision number is about 10−15, according to the IEEE floating-point standard [26]. For an effective encryption scheme, the key space size should not be smaller than 2100 mation [30]. It is given as in order to resist brute-force attacks [2]. If a precision of −16 2N −1 10 is assumed, the secret key space for our scheme X 1 128 H (m) = p (m ) log (13) is more than 2 which is adequate to resist brute-force i p (m ) i=0 i attacks. International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 89

5 Conclusion [7] S. Chakraborty, A. Seal, M. Roy, and K. Mali, “A novel lossless image encryption method using dna An encryption scheme based on multiple chaos and DNA substitution and chaotic logistic map,” International coding have been proposed for gray scale medical im- Journal of Security and Its Applications, vol. 10, ages. The chaotic tent map is used to generate chaotic no. 2, 2016. key stream which is encoded into DNA sequence for pixel [8] G. Chen, Y. Mao, and C. K. Chui, “A symmetric value modification. The logistic map is used to randomly image encryption scheme based on 3d chaotic cat select DNA encoding/decoding rules and the DNA alge- maps,” Chaos, Solitons & Fractals, vol. 21, no. 3, braic operation. The pixels of an input medical image pp. 749–761, 2004. are encoded into DNA sequence; which is followed by a [9] S. L. Chen, T. T. Hwang, and W. W. Lin, “Random- randomly selected DNA algebraic operation between the ness enhancement using digitalized modified logistic plain medical image DNA sequence and the key DNA se- map,” IEEE Transactions on Circuits and Systems quence. The resulting DNA sequence of the algebraic op- II: Express Briefs, vol. 57, no. 12, pp. 996–1000, 2010. eration is then randomly decoded to obtain the cipher [10] M. El-Sayed, El-Alfy, S. M. Thampi, H. Takagi, S. image. The process is carried out both on row and col- Piramuthu, and T. Hanne, Advances in Intelligent umn bases to achieve a robust cipher. The reverse pro- Informatics, 2015. ISBN:3319112171 9783319112176. cess successfully decrypts the cipher image. Simulation [11] R. Enayatifar, A. H. Abdullah, and I. F. Isnin, outcomes and performance analyses: histogram analysis, “Chaos-based image encryption using a hybrid ge- correlation analysis, entropy analysis and key space anal- netic algorithm and a dna sequence,” Optics and ysis show that the scheme demonstrates strong resistance Lasers in Engineering, vol. 56, pp. 83–93, 2014. against diverse forms of attacks, hence it is reliable for [12] R. Enayatifar, H. J. Sadaei, A. H. Abdullah, M. Lee, medical image encryption. and I. F. Isnin, “A novel chaotic based image en- cryption using a hybrid model of deoxyribonucleic acid and cellular automata,” Optics and Lasers in Acknowledgments Engineering, vol. 71, pp. 33–41, 2015. [13] H. Gao, Y. Zhang, S. Liang, and D. Li, “A new This paper was supported by the National Natural Sci- chaotic algorithm for image encryption,” Chaos, ence Foundation of China (Grant No. 61370073), the Na- Solitons & Fractals, vol. 29, no. 2, pp. 393–399, 2006. tional High Technology Research and Development Pro- [14] T. Habutsu, Y. Nishio, Iwao Sasase, and Shinsaku gram of China (Grant No. 2007AA01Z423), the project of Mori, “A secret key cryptosystem by iterating a Science and Technology Department of Sichuan Province. chaotic map,” in Eurocrypt, vol. 91, pp. 127–136, 1991. [15] T. Hu, Y. Liu, L. H. Gong, and C. J. Ouyang, “An References image encryption scheme combining chaos with cycle operation for dna sequences,” Nonlinear Dynamics, [1] M. A. F. Al-Husainy, “A novel encryption method vol. 87, no. 1, pp. 51–66, 2017. for image security,” International Journal of Security [16] C. Jin and H. Liu, “A color image encryption and Its Applications, vol. 6, no. 1, 2012. scheme based on arnold scrambling and quantum [2] G. Alvarez and S. Li, “Some basic cryptographic chaotic.,” International Journal Network Security, requirements for chaos-based cryptosystems,” Inter- vol. 19, no. 3, pp. 347–357, 2017. national Journal of Bifurcation and Chaos, vol. 16, [17] C. Li, G. Luo, K. Qin, and C. Li, “An image encryp- no. 08, pp. 2129–2151, 2006. tion scheme based on chaotic tent map,” Nonlinear [3] M. Andrecut, “Logistic map as a random number Dynamics, vol. 87, no. 1, pp. 127–133, 2017. generator,” International Journal of Modern Physics [18] J. Li, Y. Xing, C. Qu, and J. Zhang, “An im- B, vol. 12, no. 09, pp. 921–930, 1998. age encryption method based on tent and lorenz [4] S. S. Askar, A. A. Karawia, and A. Alshamrani, chaotic systems,” in 6th IEEE International Confer- “Image encryption algorithm based on chaotic eco- ence on Software Engineering and Service Science nomic model,” Mathematical Problems in Engineer- (ICSESS’15), pp. 582–586, 2015. ing, vol. 2015, 2015. [19] X. Li, C. Zhou, and N. Xu, “A secure and efficient [5] R. Bechikh, H. Hermassi, A. A. A. El-Latif, R. image encryption algorithm based on dna coding and Rhouma, and S. Belghith, “Breaking an image en- spatiotemporal chaos,” International Journal Net- cryption scheme based on a spatiotemporal chaotic work Security, vol. 20, no. 1, pp. 110-120, 2018. system,” Signal Processing: Image Communication, [20] G. Lokeshwari, S. Susarla, and S. U. Kumar, “A vol. 39, pp. 151–158, 2015. modified technique for reliable image encryption [6] A. Belazi, A. A Abd El-Latif, and Safya Bel- method using merkle-hellman cryptosystem and rsa ghith, “A novel image encryption scheme based on algorithm,” Journal of Discrete Mathematical Sci- substitution-permutation network and chaos,” Sig- ences and Cryptography, vol. 18, no. 3, pp. 293–300, nal Processing, vol. 128, pp. 155–170, 2016. 2015. International Journal of Network Security, Vol.21, No.1, PP.83-90, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).10) 90

[21] S. Maheshkar et al., “Region-based hybrid medical [35] X. Y. Wang, Y. Q. Zhang, and Y. Y. Zhao, “A novel image watermarking for secure telemedicine applica- image encryption scheme based on 2-d logistic map tions,” Multimedia Tools and Applications, vol. 76, and dna sequence operations,” Nonlinear Dynamics, no. 3, pp. 36173647, 2017. vol. 82, no. 3, pp. 1269–1280, 2015. [22] Y. Mao and G. Chen, “Chaos-based image encryp- [36] X. Wang and C. Liu, “A novel and effective image tion,” Handbook of Geometric Computing, pp. 231– encryption algorithm based on chaos and dna en- 265, 2005. coding,” Multimedia Tools and Applications, vol. 76, [23] B. Norouzi, S. Mirzakuchaki, and P. Norouzi, no. 5, pp. 6229–6245, 2017. “Breaking an image encryption technique based on [37] J. D. Watson and F. H. Crick, “Molecular structure neural chaotic generator,” Optik-International Jour- of nucleic acids: A structure for deoxyribose nucleic nal for Light and Electron Optics, vol. 140, pp. 946– acid,” Nature, vol. 248, no. 4356, pp. 765, Apr. 25, 952, 2017. 1953. [24] Z. Parvin, H. Seyedarabi, and M. Shamsi, “A new se- [38] W. S. Yap, R. C. W. Phan, W. C. Yau, and S. H. cure and sensitive image encryption scheme based on Heng, “Cryptanalysis of a new image alternate en- new substitution with chaotic function,” Multimedia cryption algorithm based on chaotic map,” Nonlinear Tools and Applications, vol. 75, no. 17, pp. 10631– Dynamics, vol. 80, no. 3, pp. 1483–1491, 2015. 10648, 2016. [39] T. Yoshida, H. Mori, and H. Shigematsu, “Analytic study of chaos of the tent map: Band structures, [25] S. C. Phatak and S. S. Rao, “Logistic map: A possi- power spectra, and critical behaviors,” Journal of ble random-number generator,” Physical Review E, statistical physics, vol. 31, no. 2, pp. 279–308, 1983. vol. 51, no. 4, pp. 3670, 1995. [40] K. Zhan, D. Wei, J. Shi, and J. Yu, “Cross-utilizing [26] Floating point Working Group et al., “Ieee stan- hyperchaotic and dna sequences for image encryp- dard for binary floating-point arithmetic,” IEEE Std, tion,” Journal of Electronic Imaging, vol. 26, no. 1, pp. 754–1985, 1985. pp. 013021–013021, 2017. [27] P. Praveenkumar, N. K. Devi, D. Ravichandran, J. Avila, K. Thenmozhi, J. B. B. Rayappan, and R. Amirtharajan, “Transreceiving of encrypted medical Biography image–a cognitive approach,” Multimedia Tools and Applications, pp. 1–26, 2017. Joshua C. Dagadu is a Ph.D. candidate in the Inter- [28] D. Ravichandran, P. Praveenkumar, J. B. B. Rayap- national Centre for Wavelet Analysis and Its Applica- pan, and R. Amirtharajan, “Chaos based crossover tions, School of Computer Science and Engineering, Uni- and mutation for securing dicom image,” Computers versity of Electronic Science and Technology of China. in Biology and Medicine, vol. 72, pp. 170–184, 2016. His research interests include information security, medi- [29] P. R. Sankpal and P. A. Vijaya, “Image encryp- cal imaging, signal processing, wavelet analysis and cloud tion using chaotic maps: a survey,” in Fifth Inter- computing. national Conference on Signal and Image Processing Jianping Li received his Ph.D. in Computer Science (ICSIP’14), pp. 102–107, 2014. from Chongqing University (1998). He is currently a pro- [30] C. E. Shannon, “Communication theory of secrecy fessor in the School of Computer Science and Engineer- systems,” Bell Labs Technical Journal, vol. 28, no. 4, ing, UESTC; Director of International Centre for Wavelet pp. 656–715, 1949. Analysis and Its Applications; Chief Editor of Interna- [31] A. Souyah and K. M. Faraoun, “An image encryp- tional Computer Conference on Wavelet Active Media tion scheme combining chaos-memory cellular au- Technology and Information Processing. His research in- tomata and weighted histogram,” Nonlinear Dynam- terests include wavelet theory and applications, fractals, ics, vol. 86, no. 1, pp. 639–653, 2016. image processing, pattern recognition, information secu- [32] W. Srichavengsup and W. San-Um, “Data encryp- rity, electronic commerce, and optimization techniques of tion scheme based on rules of cellular automata and information acquisition and processing. chaotic map function for information security,” In- Emelia O. Aboagye is a Ph.D. candidate in the School ternational Journal Network Security, vol. 18, no. 6, of Computer Science and Engineering, University of Elec- pp. 1130–1142, 2016. tronic Science and Technology of China. Her research [33] Z. Tang, X. Zhang, and W. Lan, “Efficient image interests include machine learning, big data processing, encryption with block shuffling and chaotic map,” business intelligence and cloud computing. Multimedia Tools and Applications, vol. 74, no. 15, pp. 5429–5448, 2015. Faith K. Deynu is a Ph.D. candidate in the School of [34] A. U. Rehman, X. Liao, A. Kulsoom, and S. A. Communication and Information Engineering, University Abbas, “Selective encryption for gray images based of Electronic Science and Technology of China. His re- on chaos and dna complementary rules,” Multimedia search interests include signal processing, wireless com- Tools and Applications, vol. 74, no. 13, pp. 4655– munication and optical fiber sensing. 4677, 2015. International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 91

An Efficient Fully Homomorphic Encryption Scheme

Ahmed El-Yahyaoui and Mohamed Dafir Ech-Cherif El Kettani (Corresponding author: Ahmed El-Yahyaoui)

Information Security Research Team, CEDOC ST2I ENSIAS, Mohammed V University in Rabat, Morocco (Email: ahmed [email protected]) (Received Mar. 4, 2017; revised and accepted July 13, 2017)

Abstract adequate fully homomorphic encryption scheme by ex- ploiting properties of ideal lattices. Cloud computing is a new paradigm of information tech- Gentry’s construction is based on his bootstrapping nology and communication. Performing big and com- theorem which provides that given a somewhat homomor- plex computations in a context of cloud computing and phic encryption scheme (SWHE) that can evaluate homo- big data is highly appreciated today. Fully homomor- morphically its own decryption circuit and an additional phic encryption (FHE) is a powerful category of encryp- NAND gate, we can pass to a ’leveled’ fully homomor- tion schemes that allows working with the data in its en- phic encryption scheme and so obtain a FHE scheme by crypted form. It permits us to preserve confidentiality assuming circular security. The purpose of using boot- of our sensible data and to benefit from cloud computing strapping technique is to allow refreshment of ciphertexts powers. Currently, it has been demonstrated by many ex- and reduce noise after its growth. isting schemes that the theory is feasible but the efficiency Gentry’s construction is not a single algorithm but it needs to be dramatically improved in order to make it us- is considered as a framework that inspires cryptologists able for real applications. One subtle difficulty is how to to build new fully homomorphic encryption schemes [6, efficiently handle the noise. This article aims to introduce 9, 15, 17]. A FHE cryptosystem that uses Gentry’s boot- an efficient fully homomorphic encryption scheme based strapping technique can be classified in the category of on a new mathematic structure that is noise free. noise-based fully homomorphic encryption schemes [2]. If Keywords: Fully Homomorphic Encryption; Lipschitz In- this class of cryptosystems has the advantage to be robust tegers; Probabilistic Transform; Quaternion and more secure, it has the drawback to be not efficient in terms of runtime and ciphertext size. In several works followed Gentry’s one, many techniques of noise man- 1 Introduction agement are invented to improve runtime efficiency and to minimise ciphertext and key size’s (bootstrapping [8], Fully homomorphic encryption is a type of encryption key switching, modulus switching [3], re-linearization [4], cryptosystems that support arbitrary computations on ci- flattening [10]), but the problematic of designing a prac- phertexts without ever needing to decrypt or reveal it. In tical and efficient fully homomorphic encryption scheme a context of cloud computing and distributed computa- remains the same until now. tion, this is a highly precious power. In fact, a signifi- In the literature, we can come up with a second cat- cant application of fully homomorphic encryption is to big egory of fully homomorphic encryption schemes called data and cloud computing. In these two situations, the noise-free based [2], which do not need a technique of processed data often contains private information about noise management to refresh ciphertexts. In a noise-free individuals or corporate secrets that would cause great fully homomorphic encryption scheme, one can do infin- harm if they fell into the wrong hands. Generally, FHE ity of operations on the same ciphertext without noise is used in outsourcing complex computations on sensitive growing. This class of encryption schemes is known to data stored in a cloud as it can be employed in specific ap- be faster than the previous one, it involves simple oper- plications for big data like secure search on encrypted dat ations to evaluate circuits on ciphertexts and do not re- and private information retrieval. It was an open prob- quire a noise management technique. However, it suffers lem, conjectured by Rivest, Adleman and Dertozous [14] from security problems, because the majority of designed in 1978, until the revolutionary work of Gentry in 2009 [8] schemes are cryptanalyzed today. which opens the curtain for the study of fully homomor- In this work, we will adopt the noise- free approach to phic encryption. In his thesis, Gentry proposed the first design a new and efficient fully homomorphic encryption International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 92 scheme. We will try to overcome the problem of weak 2.2 Reduced Form of a Quaternion security through using the ring of quaternions and intro- Quaternion can be represented in a more economical way, ducing a new method of coding integers in the domain of which considerably alleviates the calculations and high- quaternions. lights interesting results. Indeed, it is easy to see that We propose a new noise-free fully homomorphic en- H is a -vectorial space of dimension 4, of which (1, i, j, k) cryption scheme that uses the ring of Lipschitz’s quater- R constitutes a direct orthonormal basis. We can thus sep- nions and permits computations on data encrypted un- arate the real component of the pure components, and we der a symmetric key; a new method of coding integers have for q ∈ ,q = (a, u) such that u is a vector of 3. So (clear text) to Lipschitz’s integers and a new approach H R for q = (a, u), q0 = (a0, v) ∈ and λ ∈ we obtain: to keep constant the free noise for any ciphertext after H R any operation. We present also an implementation of our 1) q + q0 = (a + a0, u + v) and λq = (λa, λu); fully homomorphic encryption scheme in JAVA program- ing language, the obtained results constitute a concrete 2) qq0 = (aa0 − u.v, av + a0u + u ∧ v) Where ∧ is the proof and an effective demonstration to the performances cross product of R3; of our scheme. 3)¯q = (a, −u) and |q|2 = a2 + u2. Our Techniques and Results: We propose a new noise- free fully homomorphic encryption scheme that uses 2.3 Ring of Lipschitz Integers the ring of Lipschitz’s quaternions and permits com- putations on data encrypted under a symmetric key; The set of quaternions defined as follows: H(Z) = a new method of coding integers (clear text) into Lip- q = a + bi + cj + dk/a, b, c, d ∈ Z Has a ring structure schitz quaternions and a new approach to keep con- called the ring of Lipschitz integers. H(Z) is trivially non- stant the free noise for any ciphertext and after any commutative. operation. We present also an implementation of our For r n ∈ N∗, the set of quaternions: H(Z/nZ) = {q = results in JAVA programing language. a + bi + cj + dk/a, b, c, d ∈ Z/nZ} has the structure of a non-commutative ring. A modular quaternion of Lipschitz q ∈ H(Z/nZ) is 2 Mathematical Background invertible if and only if its module and the integer n are coprime numbers, i.e |q|2 ∧ n = 1. 2.1 Quaternionique Field H

A quaternion is a number in his generalized sense. 2.4 Quaternionique Matrices M2 Quaternions encompass real and complex numbers in a (H(Z/nZ)) number system where multiplication is no longer a com- mutative law. The set of matrices M2(H(Z/nZ)) describes the matrices The Irish mathematician William Rowan Hamilton in- with four inputs (two rows and two columns) which are troduced the quaternions in 1843. They now find appli- quaternions of H(Z/nZ). This set has a non-commutative cations in mathematics, physics, computer science and ring structure. engineering. There are two ways of multiplying the quaternion ma- Mathematically, the set of quaternions H is a non- trices: the Hamiltonian product, which respects the order commutative associative algebra on the field of real num- of the factors, and the octonionique product, which does bers R generated by three elements i, j and k satisfy- not respect it. ing relations: i2 = j2 = k2 = i.j.k = −1. Con- The Hamiltonian product is defined as for all matrices cretely, any quaternion q is written uniquely in the form: with coefficients in a ring (not necessarily commutative). q = a + bi + cj + dk where a, b, c and d are real numbers. For example: The operations of addition and multiplication by a  u u   v v  real scalar are trivially done term to term, whereas the U = 11 12 ,V = 11 12 multiplication between two quaternions is termed by re- u21 u22 v21 v22 specting the non-commutativity and the rules proper to i,j and k. For example, given q = a + bi + cj + dk and   0 0 0 0 0 0 u11v11 + u12v21 u11v12 + u12v22 q = a +b i+c j+d k we have qq = a0+b0i+c0j+d0k such ⇒ UV = 0 0 0 0 0 0 0 0 u21v11 + u22v21 u21v12 + u22v22 that: a0 = aa − (bb + cc + dd ), b0 = ab + a b + cd − c d, 0 0 0 0 0 0 0 0 c0 = ac − bd + ca + db and d0 = ad + bc − cb + a d. The octonionique product does not respect the order of The quaternionq ¯ = a − bi − cj − dk is the conjugate the factors: on the main diagonal, there is commutativity p p 2 2 2 2 of q.|q| = (qq¯) = (a + b + c + d ) is the module of of the second products and on the second diagonal there q. The real part of q is <(q) = (q +q ¯)/2 = a and the is commutativity of the first products. imaginary part is =(q) = (q − q¯)/2 = bi + cj + dk.     A quaternion q is invertible if and only if its modulus u11 u12 v11 v12 −1 2 U = ,V = is non-zero, and we have q = 1/|q| q¯. u21 u22 v21 v22 International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 93

 u v + v u v u + u v  ⇒ UV = 11 11 21 12 12 11 12 22 3 Related Work v11u21 + u22v21 u21v12 + v22u22 Generally, a fully homomorphic encryption In our article we will adopt the Hamiltonian product as scheme is defined as a quadruplet of algorithms an operation of multiplication of the quaternionique ma- (Gen, Enc, Dec, Eval), which can be executed in a trices. polynomial time, such as:

• Gen(λ): Is a key generation algorithm, inputs a secu- 2.5 Shur Complement and Inversibility of rity parameter λ and outputs a pair of keys (sk, pk). Quaternionique Matrices • Enc(m, pk): Is an encryption algorithm, it takes as Let R be an arbitrary associative ring, a matrix M ∈ input a clear message m and a public key pk and Rn×n is supposed to be invertible if ∃N ∈ Rn×n such outputs a ciphertext c. that MN = NM = I where N is necessarily unique. n • Dec(c, sk): Is a decryption algorithm, takes as input The Schur complement method is a very powerful tool n×n a ciphertext c and a secret key sk and outputs the for calculating inverse of matrices in rings. Let M ∈ R clear message. be a matrix per block satisfying:

• Eval(C, c1, .., cn): Is an evaluation algorithm, takes  AB  M = such that A ∈ Rk×k. as input a circuit C and ciphertexts c1, .., cn and ver- CD ifies Dec(Eval(C, c1, .., cn), sk) = C(m1, .., mn).

Suppose that A is invertible, we have: After resisting roughly three decades, Rivest et al. con- jecture was finally resolved in 2009 by Craig Gentry [8].      −1  Ik 0 A 0 Ik A B Indeed, Gentry gave a renaissance to the search for homo- M = −1 CA In−k 0 As 0 In−k morphic cryptography by designing a fully homomorphic encryption scheme considered semantically secure. Gen- −1 where As = D − CA B is the Schur complement of A try’s design can be summarized into three main stages: in M. • Somewhat Homomorphic Encryption Scheme The inversibility of A ensures that the matrix M is (SWHE): Gentry starts from a SWHE or simply ho- invertible if and only if A is invertible. The inverse of M s momorphic scheme that supports a limited number is: of homomorphic multiplications.  I −A−1B   A−1 0   I 0  M −1 = k k • Squashing the decryption circuit: Gentry reduces the 0 I 0 A−1 −CA−1 I n−k s n−k complexity of the decryption circuit by publishing a set of vectors whose sum of a part of them is equal to the secret key. This so-called ’squash’ scheme  −1 −1 −1 −1 −1 −1  A + A BAs CA −A BAs can evaluate, in addition to its SWHE capabilities, a = −1 −1 −1 −As CA As NAND gate.

For a quaternionique matrix: • Bootstrapping: The procedure of the bootstrap in- vented by Gentry consists in the evaluation of the   a b 2×2 circuit of decryption plus the NAND gate to obtain M = ∈ R = M2(H(Z/nZ)). c d a so-called ’leveled’ FHE which allows evaluating any circuit with a depth of the circuit defined at the be- where the quaternion a is invertible as well as its Schur ginning. −1 complement as = d − ca b we have M is invertible and: This first scheme is based on the addition of noise to  −1 −1 −1 −1 −1 −1  −1 a + a bas ca −a bas clear to obtain the homomorphy of the cryptosystem. The M = −1 −1 −1 −as ca as major disadvantage of noise based approach is the growth of noise after each manipulation of the ciphertext (addi- Therefore, to generate an invertible quaternionique ma- tion and/or multiplication). Indeed, in order to main- trix randomly, it is sufficient: tain the decryption capacity, it is necessary to control and reduce the noise generated after each treatment. The • To choose randomly three quaternions a,b and c for control of noise in this type of schemes increases their which a is invertible. spatial and temporal complexity, which results in a slow calculation (especially during bootstrapping) and a greed- • To select randomly the fourth quaternion d such that iness of the memory space required for storing the results −1 the Schur complement as = d − ca b of a in M is (noise amplification). Therefore, this situation influences invertible. the application of fully homomorphic encryption to our International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 94 daily life. All these causes have encouraged researchers complex theory. While the major disadvantage of this to find other frameworks for designing efficient fully ho- construction lies in the slowness of its operations (espe- momorphic encryption. cially the bootstrapping step) and the complexity of its Among the most eminent attempts to simplify fully ho- algorithms. momorphic encryption schemes is the MORE cryptosys- A noise-free construction that uses matrix operations tem [12]. It is a symmetric cryptosystem based on mod- as described in the MORE framework. This construction ular arithmetic whose homomorphy is derived from the has the advantage of being very simple, easy to implement usual matrix operations. Multiplication and addition are and provides very fast operations for any processing on matrix multiplication and addition. In the MORE en- ciphertexts. The main disadvantage of this construction cryption scheme, the clear space is the ring Z/nZ (ring of lies in the security of the schemes designed so far. The residual integers modulo n) where n is a modulo chosen schemes based on the MORE framework were subject to as in the famous RSA algorithm, whereas the ciphertext IND-CPA and IND-KPA attacks. space is the ring of the modular matrices K ∈ M2(Z/nZ). A first objective of the present encryption scheme is The secret key of this cryptosystem is an invertible ma- to improve the runtime in fully homomorphic encryption. trix K ∈ M2(Z/nZ) chosen randomly by the client and For that reason we will adopt the MORE framework as kept confidential with its inverse K−1. the basis of construction instead of the Gentry’s one which However, the MORE cryptosystem does not support requires a very slow bootstrapping step. Our second ob- the IND-CPA (Indistinguishability under Chosen Plain- jective is to overcome the dramatic problem of security text Attack) and IND-KPA (Indistinguishability under in previous cryptosystems. We propose a more secure Known Plaintext Attack) attacks. Indeed, if a third party cryptosystem than its predecessors do and resistant to in bad faith has access to a single clear and its ciphertext IND-CPA and IND-KPA attacks. Finally, we aim to en- it will be able to decrypt any encrypted message thereafter sure that our cryptosystem is fully homomorphic, that without having found the secret key. The cryptosystem is to say it allows executing any type of processing on MORE has been cryptanalyzed several times [1, 16]. encrypted data. Therefore, the choice of a well-adapted A second attempt, to overcome the security flaws of clear space is paramount to concretize the entire homo- the MORE encryption scheme and to build a secure fully morphy of our cryptosystem. We intend to use the ring homomorphic encryption scheme, is recently due to Wang Z/N 2Z, sanctioned by the two operations × and+, as and Li [13]. The two authors retained almost the same clear text space for our encryption scheme. In addition conception of MORE except that they proposed to change to this, we use a homomorphic transform that converts the ring Z/nZ by a non-commutative ring R and they used an integer into a quaternion of Lipschitz. This makes it square matrices of order 3 instead of square matrices of possible to randomize integers to ensure that the diago- order 2. Despite the use of a non-commutative ring R, nal gives no useful information about the clear (avoid the clear messages always remain numbers that commute with attack of the cryptosystem of Li-Wang). the elements of R. Our cryptosystem is resistant to IND-CPA and IND- Therefore an attack on the Wang and Li scheme is KPA attacks by the non-commutativity of the ring of the given by Kristian Gjsteen and Martin Strand in [11]. In- Lipschitz quaternions and by the use of a randomized deed, according to these authors: to attack the cryptosys- transform. It inherits its homomorphy, on the one hand tem of Wang-Li, we only need to distinguish the encryp- from the matrix operations and on the other hand from tions of 0 from a random encryption. a new homomorphic transform, between the ring Z/N 2Z The two authors observed that the diagonal of the ci- and the ring of the Lipschitz integers. Its complete ho- phertext matrix completely determines the inversibility momorphy is obtained by manipulating these Lipschitz of the matrix, because an encryption of ”0” cannot be integers using a homomorphic transform intT oQuatern. inverted. Thus, with a high probability, we can distin- guish the non-zero elements of the ring R from the zero elements. If the ring R is divisible, then there are no other 4 Homomorphic Transform non-zero elements than ” 0 ”. Finally, using a variant of intT oQuatern the LU decomposition adapted to the non-commutative rings, we can efficiently calculate the secret key matrix of Any integer σ ∈ Z/N 2Z can be encoded into a Lips- the scheme. chitz quaternion according to a homomorphic transform From what has come before, it can be pointed out whose operations on the quaternions retain those on the that there are two types of fully homomorphic encryp- integers. This transform can be given as follows: intTo- tion scheme constructions: Quatern: σ ∈ Z/N 2Z 7−→ intT oQuatern(σ) = m+αNi+ A noise-based construction that uses the bootstrapping βNj + γNk ∈ H(Z) such that α, β, γ ∈ Z/NZ are ran- technique as described in Gentry’s framework. The ad- domly chosen integers. The inverse transform that will vantage of this construction is its robust security, since be named quaternT oInt is given by: quaternT oInt(q) = the schemes designed so far (based on this approach) are Re(q)modN 2. based on mathematical problems arising from the the- It is easy to verify the homomorphism of the intTo- ory of Euclidean lattices, which remains an immune and Quatern transform: International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 95

• For the addition operation we have clearly: In order to profitably benefit from the technological 0 intT oQuatern(σ) + intT oQuatern(σ ) = advance of the cloud and to outsource its heavy calcula- 0 intT oQuatern(σ + σ modN 2). tions comfortably, Bob needs a robust highly secure fully homomorphic encryption scheme whose operations of ad- • For the multiplication operation, by passing to the dition and multiplication are done in a judicious time and reduced notation of the quaternions, we obtain whose noise generated during a treatment is manageable. 0 intT oQuatern(σ) × intT oQuatern(σ ) = (m, u) × To help Bob take full advantage of the powers of the 0 0 0 (m , v) = (mm − u.v, mv + m u + u ∧ v),so we cloud, we introduce a probabilistic symmetric fully ho- 0 0 can easily verify that mm − u.v ≡ (σ × σ )modN 2 momorphic encryption scheme without noise. The addi- 0 and thatmv + m u + u ∧ v can be put on the form tion and multiplication operations generate no noise. The (2L, P, Q) such that P ≡ Q[2] and L is an inte- multiplication is very fast and it is done in less than a mil- 0 ger. So intT oQuatern(σ) × intT oQuatern(σ ) = lisecond. The security of our cryptosystem is based on the 0 intT oQuatern(σ × σ modN 2). difficulty of solving a system of multi-varied equations in a non-commutative ring. The homomorphic transform intT oQuatern encode and randomize an input integer. The homomorphic property allows us to preserve operations from integers to Lipschitz 5.1 Key Generation quaternions. The non commutativity of multiplication • Bob generates randomly two big prime numbers p give two results for the same product of two encoded in- 0 and q. tegers (i.e intT oQuatern(σ) × intT oQuatern(σ ) = 0 0 intT oQuatern(σ × σ ) and intT oQuatern(σ ) × • Then, he calculates N = p.q. 0 intT oQuatern(σ) = bitT oQuatern(σANDσ ) 0 but intT oQuatern(σ ) × intT oQuatern(σ) 6= • Bob generates randomly an invertible matrix 0 intT oQuatern(σ) × intT oQuatern(σ ) ). The in-   a1,1 a1,2 a1,3 verse transform quaternT oInt permits to find the 2 K =  a2,1 a2,2 a2,3  ∈ 3( ( /N )) encoded integer from a Lipschitz quaternion. M H Z Z a3,1 a3,2 a3,3

5 An Efficient Fully Homomor- • Bob calculates the inverse of K, Which will be de- noted K−1). phic Encryption Scheme • The secrete key is (K,K−1). We place ourselves in a context where Bob wants to store confidential data in a very powerful but non-confident 5.2 Encryption cloud. Bob will later need to execute complex processing 2 on his data, of which he does not have the necessary com- Lets σ ∈ Z/N Z be a clear text. To encrypt σ Bob pro- puting powers to perform it. At this level he thinks for, ceed as follows: at first, the encryption of his sensitive data to avoid any • Using the transform intT oQuatern , Bob transforms fraudulent action. But the ordinary encryption, which he σ into a quaternion: m = intT oQuatern(σ) ∈ knows, does not allow the cloud to process his calcula- H(Z/N 2Z)). tion requests without having decrypted the data stored beforehand, which impairs their confidentiality. Bob asks • Bob generates a matrix if there is a convenient and efficient type of encryption to   process his data without revealing it to the cloud. The m r3 r4 2 answer to Bob’s question is favorable, in fact since 2009 M =  0 r1 r5  ∈ M3(H(Z/N Z)) there exist so-called fully homomorphic encryption, the 0 0 r2 principle of which is quite simple: doing computations on encrypted data without thinking of any previous decryp- such that ri ∈ H(Z/NZ)∀i ∈ [1, 5] are randomly gen- tion. erated with |r1| ≡ 0[N]. To be completely homomorphic, it is sufficient for a • The ciphertext of σ is C = Enc(σ) = KMK−1 ∈ cryptosystem to perform the two operations of addition 2 M3(H(Z/N Z)). and multiplication a multitude of times on ciphertexts. Since their first appearance in 2009, fully homomorphic encryption schemes allow to easily realize the additions 5.3 Decryption whereas the multiplication remains very expensive in term 2 Lets C ∈ M3(H(Z/N Z)) be a ciphertext. To decrypt C of runtime and exhausting in terms of the noise growth. Bob proceeds as follows: Actually, on average, an addition doubles the noise of an encrypted message while a multiplication raises it to the • He calculates M = K−1CK using his secrete key square. (K,K−1). International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 96

• Then he takes the first input of the resulting matrix oracle, which decrypts arbitrary ciphertexts at the m = (M)1,1. adversary’s request, returning the plaintext.

• Finally, he recovers his clear message by calculat- Startup: ing σ = quaternT oInt(m) using the quaternT oInt transform. 1) The challenger generates a secret key Sk based on some security parameter k (e.g., a key size in bits) 5.4 Addition and Multiplication and retains it.

Let σ1 and σ2 be two clear texts and C1 = Enc(σ1) and 2) The adversary A may ask the encryption oracle for C2 = Enc(σ2) be their ciphertexts respectively. It is easy any number of encryptions, calls to the decryption to verify, thanks to the intT oQuatern transform, that: oracle based on arbitrary ciphertexts, or other oper- ations. • Cadd = C1 + C2 = Enc(σ1) + Enc(σ2) = Enc(σ1 + 2 σ2modN ). 3) Eventually, the adversary A submits two distinct cho- sen plaintexts m0, m1 to the challenger. • Cmult = C1.C2 = Enc(σ1).Enc(σ2) = Enc(σ1 × 2 σ2modN ). The Challenge:

1) The challenger selects a bit b ∈ {0, 1} uniformly at 6 Comparison with Other random, and sends the `challenge´ ciphertext C = Schemes Enc(Sk, mb) back to the adversary. The adversary is free to perform any number of additional compu- As it is shown in Table 1, our cryptosystem presents good tations or encryptions. performances compared to other existing schemes. Its ciphertext and key sizes depend linearly to cleartext space 2) In the non-adaptive case (IND − CCA), the adver- dimension. The other schemes use a small cleartext space sary may not make further calls to the decryption which influences the runtime of the algorithm. In our case oracle before guessing. we are using a large cleartext space which allows us to 3) In the adaptive case (IND − CCA2), the adversary encrypt big messages and perform computations directly may make further calls to the decryption oracle, but on ciphertexts. We can observe that the complexity of may not submit the challenge ciphertext C. Li-Wang’s scheme is smaller than ours, but this scheme uses a smaller cleartext space. 4) In the end it will guess the value of b.

7 Security The Result: • Again, the adversary A wins the game if it guesses Ciphertext indistinguishability is an important security the bit b. property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishabil- • A cryptosystem is indistinguishable under chosen ci- ity, then an adversary will be unable to distinguish pairs phertext attack if no adversary can win the above of ciphertexts based on the message they encrypt. It is game with probability p greater than 1/2 +  where easy to see that a fully homomorphic encryption scheme is a negligible function in the security parameter k. cannot be secure against adaptive chosen ciphertext at- tacks (IND − CCA2). • If p > 1/2 then the difference p−1/2 is the advantage of the given adversary in distinguishing the cipher- The adversary: We are protecting ourselves from an ad- text. versary A, who: In our situation, the adversary A should distinguish an • Is a probabilistic polynomial time Turing machine. encryption of zero from an encryption of one after asking the encryption oracle of a number of encryptions and the • Has all the algorithms. decryption oracle to decrypt arbitrary ciphertexts. The • Has full access to communication media. adversary A can do operations on the two given cipher- texts to distinguish zero from one, as he can do operations Chosen Ciphertext Attack: In this model, the attack on the entire ciphertext matrices or just to use some en- assumes that the adversary A has access to an en- trees (the diagonal of ciphertexts matrices). In our case, cryption oracle and that the adversary can choose even if the diagonal of M determines completely the in- an arbitrary number of plaintexts to be encrypted vertibility of C, an encryption of an integer σ ∈ Z/N 2Z and obtain the corresponding ciphertexts. In addi- is always non invertible because of the choice of the ran- tion, the adversary A gains access to a decryption dom r1(|r1| ≡ 0[N]). Therefore, an adversary cannot then International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 97

Table 1: Comparison of the performances of FHE schemes Algorithm Cleartext Space Secret Key Public Key Ciphertext Gentry [8] {0, 1} n7 n3 n1.5 Smart-Vercautern [15] {0, 1} O(n3) n3 O(n1.5) DGHV [17] {0, 1} O˜(λ10) O˜(λ2) O˜(λ5) CMNT [7] {0, 1} O˜(λ7) O˜(λ2) O˜(λ5) Batch DGHV [5] {0, 1}l O˜(λ7) l.O˜(λ2) l.O˜(λ5) Li-Wang [13] Z/NZ O(N) NA O(N) Our scheme Z/N 2Z O(N 2) NA O(N 2)

distinguish encryptions of units from encryptions of non- 6) c2,3 = a2,1ma1¯,3 + (a2,1r3 + a2,2r1)a2 ¯,3 + (a2,1r4 + units. Consequently, the attack proposed on Li-Wang’s a2,2r5 + a2,3r2)a3 ¯,3 scheme [13] in [11] do not work for our case. Based on these assumptions, we believe that our fully homomor- 7) c3,1 = a3,1ma1¯,1 + (a3,1r3 + a3,2r1)a2 ¯,1 + (a3,1r4 + phic encryption scheme is indistinguishable under chosen a3,2r5 + a3,3r2)a3 ¯,1 ciphertext attacks (IND − CCA1). 8) c = a ma¯ + (a r + a r )a ¯ + (a r + Concerning the security of the secret key: 3,2 3,1 1,2 3,1 3 3,2 1 2,2 3,1 4 a r + a r )a ¯ Given a random secret key of our encryption scheme: 3,2 5 3,3 2 3,2

  9) c3,3 = a3,1ma1¯,3 + (a3,1r3 + a3,2r1)a2 ¯,3 + (a3,1r4 + a1,1 a1,2 a1,3 a3,2r5 + a3,3r2)a3 ¯,3 K =  a2,1 a2,2 a2,3  a3,1 a3,2 a3,3 According to the decryption algorithm, the plaintext m can be obtained by the equation: and (*) m = (a1 ¯,1c1,1 +a1 ¯,2c2,1 +a1 ¯,3c3,1)a1,1 + (a1 ¯,1c1,2 +   a1¯,1 a1¯,2 a1¯,3 a1¯,2c2,2 +a1 ¯,3c3,2)a2,1 + (a1 ¯,1c1,3 +a1 ¯,2c2, 3 +a1 ¯,3c3,3)a3,1 −1 K =  a2¯,1 a2¯,2 a2¯,3  An adversary who possesses the ciphertext C and a3¯,1 a3¯,2 a3¯,3 wants to find the cleartext m or the secret key from the above nine equations should, at least, extract the secret 2 and a cleartext σ ∈ Z/N Z. componentsa1 ¯,1, a1¯,2, a1¯,3, a1,1, a2,1 and a3,1 according to A ciphertext of m = intT oQuatern(σ) is determined the equation (*). Since our fully homomorphic encryption by: scheme is probabilistic, these nine equations are randomly independent even if the encrypted messages are the same  c c c  1,1 1,2 1,3 one. Therefore finding the secret key is equivalent to a C = KMK−1 = c c c  2,1 2,2 2,3  problem of solving an over-defined system of quadratic c c c 3,1 3,2 3,3 multivariate polynomial equations in a non-commutative such that ring.   m r3 r4 M =  0 r1 r5  8 Implementation and Test 0 0 r2 We provide an implementation of our fully homomorphic Therefore, we obtain the nine following equations: encryption scheme with the fully homomorphic capabil- ity, i.e. we implement the key generation, encryption, 1) c = a ma¯ + (a r + a r )a ¯ + (a r + 1,1 1,1 1,1 1,1 3 1,2 1 2,1 1,1 4 decryption, add and mult operations. a r + a r )a ¯ 1,2 5 1,3 2 3,1 The implementation is done using a personal computer 2) c1,2 = a1,1ma1¯,2 + (a1,1r3 + a1,2r1)a2 ¯,2 + (a1,1r4 + with characteristics: bi-cores Intel core i5 CPU running a1,2r5 + a1,3r2)a3 ¯,2 at 2.40 GHz, with 512KB L2 cache and 4GB of Random Access Memory. The present implementation is done un- 3) c1,3 = a1,1ma1¯,3 + (a1,1r3 + a1,2r1)a2 ¯,3 + (a1,1r4 + der JAVA programming language using the IDE Eclipse a1,2r5 + a1,3r2)a3 ¯,3 platform. The fundamental results of our tests are summarized 4) c2,1 = a2,1ma1¯,1 + (a2,1r3 + a2,2r1)a2 ¯,1 + (a2,1r4 + in Table 1, for the security parameter n that we used a2,2r5 + a2,3r2)a3 ¯,1 to generate the secret key. In this table we summarize 5) c2,2 = a2,1ma1¯,2 + (a2,1r3 + a2,2r1)a2 ¯,2 + (a2,1r4 + the main parameters of our fully homomorphic encryption a2,2r5 + a2,3r2)a3 ¯,2 scheme. International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 98

Table 2: Comparison of the performances of FHE schemes Security Key Secret param Gen Encryption Decryption Addition Multiplication Key Ciphertext 256 bit 0.12s 0.02s 0.003 s  1ms  1ms 2.25KB 1.125KB 512 bit 0.31s 0.04s 0.004s  1ms 1ms 4.5KB 2.25KB 1024 bit 1.2s 0.19s 0.01s  1ms 2ms 9KB 4.5 KB 2048 bit 10.16s 1.76s 0.034s  1ms 10ms 18KB 9KB 4096 bit 130s 20s 0.1s  1ms 27ms 36KB 18KB

In one hand, we observe that, even if encryption and tional Journal of COmputer Science and Information decryption operations are approximately the same, the Security, vol. 14, no. 5, 2016. runtime of encryption operation is significantly higher [2] E. Y. Ahmed and M. D. Elkettani, “Fully homomor- than the runtime of the decryption operation. This exces- phic encryption: State of art and comparison,” In- sive difference between the two operations is due to the ternational Journal of COmputer Science and Infor- intToQuatern transform, we note that the most of the mation Security, vol. 14, no. 4, 2016. encryption time is spent in transforming an integer to a [3] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, quaternion of Lipschitz. Concerning the evaluation op- “(Leveled) Fully homomorphic encryption without erations, we observe that addition is always done in less bootstrapping,” ACM Transactions on Computation than one millisecond and multiplication is done in an op- Theory (TOCT’14), vol. 6, no. 3, pp. 13, 2014. timized time. This is adequate in view of the fact that [4] Z. Brakerski and V. Vaikuntanathan, “Efficient fully matrix operations are simples. Therefore, these runtimes homomorphic encryption from (standard) LWE,” are practical in the context of a cloud that has unlimited SIAM Journal on Computing, vol. 43, no. 2, pp. 831– computation powers. 871, 2014. In the other hand, we note that the secret key size [5] J. H. Cheon, J. S. Coron, J. Kim, M. S. Lee, T. is of the order of some few Kbytes for a given security Lepoint, M. Tibouchi, and A. Yun, “Batch fully ho- parameter n. Moreover, the ciphertext size is about half momorphic encryption over the integers,” in Annual the secret key size. This is because the secret key consists International Conference on the Theory and Appli- of two matrices but the ciphertext is just one matrix. All cations of Cryptographic Techniques, pp. 315–335, ciphertext sizes are fixe owing to the fact that we are using 2013. a noise free fully homomorphic encryption scheme. [6] G. Chunsheng, “Fully homomorphic encryption based on approximate matrix GCD,” Aavailable 9 Conclusion at ePrint, 2011. (https://eprint.iacr.org/2011/ 645.pdf) In this article, we presented a new fully homomorphic [7] J. S. Coron, A. Mandal, D. Naccache, and M. Ti- encryption scheme. It is symmetric, noise free and prob- bouchi, “Fully homomorphic encryption over the in- abilistic cryptosystem, for which the ciphertext space is tegers with shorter public keys,” in Annual Cryptol- a non-commutative ring quaternionic based. We utilize ogy Conference, pp. 487–504, 2011. a homomorphic transform to encode an integer into a [8] C. Gentry and D. Boneh, A fully homomorphic en- quaternion before its encryption. Our encryption scheme cryption scheme, Doctoral Dissertation, 2009. ISBN: find its applications in the domain of cloud computing 978-1-109-44450-6. and big data security. It is an efficient and practical [9] C. Gentry, S. Halevi, and N. P. Smart, “Homomor- scheme whose security is based on the problem of solving phic evaluation of the aes circuit,” in Advances in an over-defined system of quadratic multivariate polyno- Cryptology, pp. 850–867, 2012. mial equations in a non-commutative ring. We have pro- [10] C. Gentry, A. Sahai, and B. Waters, “Homomorphic vided an implementation and simulation of our algorithm encryption from learning with errors: Conceptually- using JAVA programming language and a personal com- simpler, asymptotically-faster, attribute-based,” in puter Core i5 CPU running at 2.40 GHz, with 512KB L2 Advances in Cryptology, pp. 75–92, 2013. cache and 4GB of Random Access Memory. The experi- [11] K. Gjøsteen and M. Strand, “Can there be efficient mental results justifies the efficiency of our construction. and natural fhe schemes,” IACR Cryptology ePrint Archive, vol. 2016, pp. 105, 2016. References [12] A. Kipnis and E. Hibshoosh, “Efficient methods for practical fully homomorphic symmetric-key encryp- [1] E. Y. Ahmed and M. D. Elkettani, “Cryptanalysis ton, randomization and verification,” IACR Cryptol- of fully homomorphic encryption schemes,” Interna- ogy ePrint Archive, vol. 2012, pp. 637, 2012. International Journal of Network Security, Vol.21, No.1, PP.91-99, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).11) 99

[13] J. Li and L. Wang, “Noise-free symmetric fully ho- Biography momorphic encryption based on noncommutative rings,” IACR Cryptology ePrint Archive, vol. 2015, Ahmed El-Yahyaoui is a PhD student at Mohammed pp. 641, 2015. V University in Rabat, Morocco. His research area is [14] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On about cryptography and computer science security. In his data banks and privacy homomorphisms,” Founda- PhD, he is working on a topical subject which is ”Fully tions of secure computation, vol. 4, no. 11, pp. 169– homomorphic encryption”. He received an engineering 180, 1978. degree in telecommunications and information technolo- [15] N. P. Smart and F. Vercauteren, “Fully homomor- gies in 2013 from the National Institute of Postes and phic encryption with relatively small key and cipher- Telecommunications (INPT) in Morocco. text sizes,” in International Workshop on Public Key Mohamed Dafir Ech-Cherif El Kettani is a professor Cryptography, pp. 420–443, 2010. of computer science and information security at ENSIAS [16] B. Tsaban and N. Lifshitz, “Cryptanalysis of the in Morocco. His research area is about information secu- more symmetric key fully homomorphic encryption rity and multicast routing. He obtained an engineering scheme,” Journal of Mathematical Cryptology, vol. 9, degree from Mohamedia School of Engineering in 1994 no. 2, pp. 75–78, 2015. and a PhD degree in computer science in 2001 from the [17] V. Vaikuntanathan, C. Gentry, S. Halevi, and M. same school. V. Dijk , “Fully homomorphic encryption over the integers,” in Annual International Conference on the Theory and Applications of Cryptographic Tech- niques, pp. 24–43, 2010. International Journal of Network Security, Vol.21, No.1, PP.100-104, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).12) 100

Cryptanalysis of the Mutual Authentication and Key Agreement Protocol with Smart Cards for Wireless Communications

Shu-Fen Chiou1, Hsieh-Tsen Pan2, Eko Fajar Cahyadi2,3, and Min-Shiang Hwang2,4 (Corresponding author: Min-Shiang Hwang)

Department of Information Management, National Taichung University of Science and Technology, Taiwan1 Department of Computer Science & Information Engineering, Asia University, Taichung, Taiwan2 Department of Telecommunication Engineering, Institut Teknologi Telkom Purwokerto, Purwokerto, Indonesia3 Department of Medical Research, China Medical University Hospital, China Medical University, Taiwan4 (Email: [email protected]) (Received Aug. 21, 2018; revised and accepted Dec. 5, 2018)

Abstract In 2016, Thandra et al. also proposed a secure and effi- cient user authentication scheme [23]. However, Pan et al. Recently, Guo et al. proposed a secure and efficient shown that their scheme is vulnerable to denial of service, mutual authentication and key agreement protocol with online and offline password guessing, and user imperson- smart cards for wireless communications. There are two ation attacks [19]. In 2016, Wei et al. proposed a user au- main contributions of their scheme: confidentiality of the thentication scheme [25]. However, Tsai et al. also shown session key and updating the password efficiently. They that their scheme is vulnerable to password guessing, de- claimed that their scheme could withstand various known nial of service, and privileged insider attacks [24]. In 2017, types of attacks: user anonymity, withstanding the insider Liu et al. thus proposed an efficient and secure user au- attacks, the replay attacks, and the offline dictionary at- thentication scheme with smart cards [15]. However, Liu tacks. However, we find some weaknesses of their scheme et al. shown that their scheme was also vulnerable to the in this article. We show that their scheme is vulnerable to replaying attacks [14]. on-line password guessing with smart cards under stolen Recently, Guo et al. proposed a secure and efficient attacks and the denial of service attacks. mutual authentication and key agreement protocol with Keywords: Formal Proof; Key Agreement; Password; smart cards for wireless communications [7]. There are Smart Card; User Authentication two main contributions of their scheme: confidentiality of the session key and updating the password efficiently. They claimed that their scheme could withstand various 1 Introduction known types of attacks: user anonymity, withstanding the insider attack, the replay attacks, the offline dictionary at- The most widely applied to verify the legitimate users tacks. However, we find some weaknesses of their scheme in wireless communications is the user authentication in this article. We show that their scheme is vulnerable to schemes [5, 9, 13, 17, 22, 26]. Many user authentication on-line password guessing with smart cards under stolen schemes are designed to verify the users for single server attacks and the denial of service attacks. environment [2, 8, 18, 21]. However, more and more re- The rest of this paper is organized as follows. In Sec- mote users need more services in various clouds or differ- tion 2, we briefly review Guo et al.’s mutual authentica- ent servers. In other word, the remore users in internet tion and key agreement protocol. In Section 3, we ana- and wireless communications will be operated in a multi- lyze and show that some security flaws exist in Guo et servers or multi-clouds [4,11,16]. In the conventional user al.’s user authentication scheme. Finally, we present our authentication schemes, the remote users not only need conclusions in Section 4. to login to various cloud servers with repetitive registra- tion, but also need to remember the various remote user ID (identity) and password pairs [3, 6, 10, 12]. 2 Review of Guo et al.’s Scheme In 2012, Ramasamy et al. proposed a remote user authentication scheme for smart cards [20]. However, In this section, we briefly review Guo et al.’s mutual au- Thandra et al. showed that their scheme is insecure [23]. thentication and key agreement protocol with smart cards International Journal of Network Security, Vol.21, No.1, PP.100-104, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).12) 101 for wireless communications [7]. There are four partici- 2.3 The Authentication Phase pants in Guo et al.’s mutual authentication and key agree- Upon receiving the authentication request message ment protocol: Users (Ui, i = 1, 2, ··· , m for short); Card {ID ,ID ,P ,R ,X } from user U , the base station reader (CR for short); Base stations (BS for short) and i CHj i i i i BS executes this authentication phase in the following: cluster head (CHj, j = 1, 2, ··· , n for short). The scheme consists of four phases, namely, the registration phase, the 1) The base station computes login phase, the authentication phase, and the password change phase. ∗ Yi = h(IDi k s), ∗ ∗ pwri = Yi ⊕ Xi, 2.1 The Registration Phase ∗ ∗ N1 = pwri ⊕ Ri In the registration phase, the base station BS makes a ∗ ∗ ∗ ∗ Pi = h(Yi k IDCHj k N1 k pwri ). smart card for a new user (Ui). The registration phase is executed as follows: ∗ 2) BS checks whether computed Pi equals sending Pi 1) The new user Ui firstly chooses a random number yi, or not. If it holds good, base station further chooses his/her identity IDi and password pwi. a random number N2 and computes

2) U computes pwr = h(pw k y ) and sends ∗ i i i i Zi = pwri ⊕ N2, {ID , pwr } to the base station BS through a secure i i D = h(Y ∗ k N k ID k ID k N ∗). channel. i i 2 CHj i 1

3) After getting message {ID , pwr } from the user U , i i i 3) BS sends {IDi,IDCHj ,Zi,Di} to the user Ui. Again base station computes Xi = h(IDi k s) ⊕ pwri and base station computes Bi = h(h(IDi k s) k pwri). ∗ N3 = N2 ⊕ N1 , 4) The base station issues a smart card for user Ui by Vi = h(IDCH k SCH ), storing {Xi,Bi, h(·)} into the memory of the smart j j card. Ei = Vi ⊕ N3, ∗ ∗ Ai = h(Yi k N3 k pwri ), 5) After getting his/her smart card, user Ui stores yi into the memory of the smart card. Li = Ai ⊕ Vi

Gi = h(SCHj k N3 k Ai k IDi k IDCHj ) 2.2 The Login Phase

4) BS sends {Ei,Li,Gi,IDi,IDCHj } to the cluster In this phase, the user (Ui) wants to login to the base head CHj. After that, the following computations station BSj for obtaining some services; the user (Ui) are performed: firstly attaches his/her smart card to a device reader and 0 0 inputs his/her identity IDi and password PWi . The login a. After getting reply message phase is executed in the following: {IDi,IDCHj ,Zi,Di} from base station, 0 0 0 the card reader computes N2 = Zi ⊕ pwri, Di 1) Then card reader computes 0 0 = h(Yi k N2 k IDCHj k IDi k N1) and checks 0 pwr0 = h(pw k y ), whether computed Di equals sending Di or not. i i i 0 0 0 0 If it holds good, then computes N3 = N1 ⊕ N2, Yi = Xi ⊕ pwri, 0 0 0 0 Ai = h(Yi k N3 k pwri) and session key SK = B0 = h(Y 0 k pwr0 ), 0 0 i i i h(IDi k IDCHj k N3 k Ai). 0 b. After receiving message and checks whether computed Bi equals stored Bi. {E ,L ,G ,ID ,ID } from base sta- If true, proceed to next, otherwise ‘rejects’ user Ui, i i i i CHj tion, cluster head CH computes V ? = then, user Ui chooses IDCH and submits it to the j i j ? ? ? ? card reader. h(IDCHj k SCHj ), N3 = Vi ⊕Ei, Ai = Li ⊕Vi ? ? ? and Gi = h(SCHj k N3 k Ai k IDi k IDCHj ) ? 2) The card reader further chooses a random number and checks weather computed Gi equals send- N1 and computes ing Gi or not. If true, then it computes session ? ? key SK = h(IDi k IDCH k N k A ). 0 0 j 3 i Pi = h(Yi k IDCHj k N1 k pwri) 0 Now, both parties (user U and cluster head CH ) Ri = N1 ⊕ pwri, i j agree with common shared session key SK and can

and sends {IDi,IDCHj ,Pi,Ri,Xi} to the base sta- communicate securely to each other by a shared se- tion. cret session key SK in future. International Journal of Network Security, Vol.21, No.1, PP.100-104, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).12) 102

3 Cryptanalysis of Guo et al.’s 3.2 The improvement of Guo et al.’s Scheme Scheme The main weakness of Guo et al.’s user authentication In this section, we will analyze Guo et al.’s mutual authen- scheme is that the attacker could repeat to guess the pass- tication and key agreement protocol with smart cards for word with smart card. To improve the weakness of Guo wireless communications [7]. Guo et al. claimed that their et al.’s scheme, the smart card in this scheme should set scheme resisted different possible attacks, including smart up the timer. If the user input the incorrect password 3 card stolen attacks, impersonation attacks, privileged in- times, the smart card must initiate the registration of the sider attacks, replay attacks, off-line password guessing user. attacks, theft attacks, session key recovery attacks, de- nial of service attacks, and cluster head capture attacks. In this section, we show that Guo et al.’s user authenti- 4 Conclusion cation scheme is vulnerable to off-line password guessing with smart cards under stolen attacks. In this article, we have reviewed Guo et al.’s mutual au- thentication and key agreement protocol with smart cards 3.1 Off-line Password Guessing with for wireless communications [7] and cryptanalyzing its se- Smart Cards under Stolen Attacks curity. Because the user password chosen is easy to re- member, we showed that Guo et al.’s user authentication Guo et al. claimed that an attacker is hard to derive user’s scheme cannot withstand the off-line password guessing password PWi if the attacker gets the user’s smart card with smart cards under stolen attacks. We also propose and a login message {IDi,IDCHj ,Pi,Ri,Xi} between the an improvement of Guo et al.’s Scheme in this article. user Ui and base station BS. In this section, we will show that Guo et al.’s scheme is vulnerable to off-line password guessing with smart cards under stolen attacks. Acknowledgment The attacker is able to intercept from the public This research was partially supported by the Ministry of channel. Thus, the attacker obtains a login message Science and Technology, Taiwan (ROC), under contract {ID ,ID ,P ,R ,X } between the user U and base i CHj i i i i no.: MOST 104-2221-E-468-004 and MOST 105-2410-H- station BS. The attacker may guess the user’s password 468-009. MOST 106-2221-E-468-002. PWi as follows: 1) The attacker guesses the user’s password PW 0.

0 References 2) The smart card computes pwri as follows: [1] R. Amin, ”Cryptanalysis and Efficient Dynamic ID pwr0 = h(PW 0||y ), i i Based Remote User Authentication Scheme in Multi- here yi is obtained from the smart card. server Environment Using Smart Card”, Interna- tional Journal of Network Security, Vol. 18, No. 1, 3) The smart card computes Y 0 and N 0 as follows: i 1 pp. 172-181, 2016. 0 0 Yi = Xi ⊕ pwri, [2] N. Anwar, I. Riadi, A. Luthfi, ” Forensic SIM Card 0 0 Cloning Using Authentication Algorithm”, Interna- N = Ri ⊕ pwr . 1 i tional Journal of Electronics and Information Engi- Here, Xi and Ri are intercepted from the last login neering, Vol. 4, No. 2, pp. 71-81, 2016. message between the smart card and the base station. [3] C. C. Chang, W. Y. Hsueh, T. F. Cheng, ”An Advanced Anonymous and Biometrics-based Multi- 4) The attacker computes P 0 as follows: i server Authentication Scheme Using Smart Cards”, 0 0 0 0 International Journal of Network Security, Vol. 18, Pi = h(Yi ||IDCHj ||N1||pwri). 0 No. 6, pp. 1010-1021, 2016. Next the attacker checks if Pi is or not equal to Pi; [4] T. Y. Chen, C. C. Lee, M. S. Hwang, J. K. Jan, here Pi is intercepted from the last login message ”Towards Secure and Efficient User Authentication between the smart card and the base station. If it’s Scheme Using Smart Card for Multi-Server Environ- hold, the guessed password is correct, otherwise, the ments”, The Journal of Supercomputing, Vol. 66, No. attacker guess other password and checks it again as 2, pp. 1008-1032, 2013. the above steps. [5] T. Y. Chang, W. P. Yang, M. S. Hwang, “Simple au- The attacker could repeat the above step to re-guess thenticated key agreement and protected password the other password. If it is true, this implies that change protocol”, Computers & Mathematics with 0 the guessing password PWi is correct. Therefore, Applications, vol. 49, pp. 703–714, 2005. Guo et al.’s user authentication scheme is vulnerable [6] T. H. Feng, C. H. Ling, and M. S. Hwang, ”Crypt- to the off-line password guessing with smart cards analysis of Tan’s Improvement on a Password Au- under stolen attacks. thentication Scheme for Multi-server Environments”, International Journal of Network Security, Vol.21, No.1, PP.100-104, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).12) 103

International Journal of Network Security, Vol. 16, Internet Technology, Vol. 11, No. 7, pp. 997-1004, No. 4, pp. 318-321, 2014. 2010. [7] C. Guo, C. C. Chang, S. C. Chang, ”A secure and ef- [18] E. O. Osei, J. B. Hayfron-Acquah, ”Cloud Comput- ficient mutual authentication and key agreement pro- ing Login Authentication Redesign”, International tocol with smart cards for wireless communications”, Journal of Electronics and Information Engineering, International Journal of Network Security, Vol. 20, Vol. 1, No. 1, pp. 1-8, 2014. No. 2, pp. 323-331, 2018. [19] C. S. Pan, C. Y. Tsai, S. C. Tsaur, M. S. Hwang, [8] M. S. Hwang, L. H. Li, ”A New Remote User Authen- ”Cryptanalysis of an efficient password authentica- tication Scheme Using Smart Cards”, IEEE Trans- tion scheme”, 2016 3rd International Conference on actions on Consumer Electronics, Vol. 46, No. 1, pp. Systems and Informatics (ICSAI 2016), 2016. 28-30, 2000. [20] R. Ramasamy and A. P. Muniyandi, ”An Efficient [9] C. C. Lee, M. S. Hwang, I. E. Liao, ”Security Password Authentication Scheme for Smart Card”, Enhancement on a New Authentication Scheme International Journal of Network Security, Vol. 14, with Anonymity For Wireless Environments”, IEEE No. 3, pp. 180-186, 2012. Transactions on Industrial Electronics, Vol. 53, No. [21] J. J. Shen, C. W. Lin, M. S. Hwang, ”A Modified 5, pp. 1683-1687, 2006. Remote User Authentication Scheme Using Smart Cards”, IEEE Transactions on Consumer Electron- [10] L. H. Li, I. C. Lin, M. S. Hwang, ”A Remote Pass- ics, Vol. 49, No. 2, pp. 414-416, 2003. word Authentication Scheme for Multi-server Archi- [22] M. Stanek, ”Weaknesses of Password Authentication tecture Using Neural Networks”, IEEE Transactions Scheme Based on Geometric Hashing”, International on Neural Networks, Vol. 12, pp. 1498-1504, 2001. Journal of Network Security, Vol. 18, No. 4, pp. 798- [11] I. C. Lin, M. S. Hwang, L. H. Li, ”A New Remote 801, 2016. User Authentication Scheme for Multi-Server Archi- [23] P. K. Thandra, J. Rajan, and S. A. V. S. Murty, tecture”, Future Generation Computer Systems, vol. ”Cryptanalysis of an Efficient Password Authentica- 19, no. 1, pp. 13-22, 2003. tion Scheme”, International Journal of Network Se- [12] C. H. Ling, W. Y. Chao, S. M. Chen, and M. curity, Vol. 18, No. 2, pp. 362-368, 2016. S. Hwang, ”Cryptanalysis of Dynamic Identity [24] C. Y. Tsai, C. S. Pan, and M. S. Hwang, ”An Im- Based on a Remote User Authentication Scheme proved Password Authentication Scheme for Smart for a Multi-server Environment”, in 2015 Interna- Card”, Recent Developments in Intelligent Systems tional Conference on Advances in Mechanical En- and Interactive Applications, Lecture Notes in Com- gineering and Industrial Informatics (AMEII 2015), puter Science, Springer, 2017. Zhengzhou, April 11-12, 2015, Advances in Engineer- [25] J. Wei, W. Liu, X. Hu, ”Secure and Efficient Smart ing Research, vol. 15, pp. 981-986, Atlantis Press, Card Based Remote User Password Authentication 2015. Scheme”, International Journal of Network Security, [13] C. W. Liu, C. Y. Tsai, and M. S. Hwang, ”Crypt- Vol. 18, No. 4, pp. 782-792, 2016. analysis of an Efficient and Secure Smart Card Based [26] H. Zhu, Y. Zhang, and Y. Zhang, ”A Provably Pass- Password Authentication Scheme”, Recent Develop- word Authenticated Key Exchange Scheme Based ments in Intelligent Systems and Interactive Applica- on Chaotic Maps in Different Realm”, International tions, Lecture Notes in Computer Science, Springer, Journal of Network Security, Vol. 18, No. 4, pp. 688- 2017. 698, 2016. [14] C. W. Liu, C. Y. Tsai, and M. S. Hwang, ”Crypt- analysis of an Efficient and Secure Smart Card Based Password Authentication Scheme”, Recent Develop- Biography ments in Intelligent Systems and Interactive Applica- tions, Lecture Notes in Computer Science, Springer, Shu-Fen Chiou received a B.B.A degree in Information 2017. Management from National Taichung Institute of Tech- nology, Taichung, Taiwan, ROC, in 2004; She studied [15] Y. Liu, C. C. Chang, S. C. Chang, ”An Efficient and M.S. degree in Computer Science and Engineering from Secure Smart Card Based Password Authentication National Chung Hsing University for one year, and she Scheme”, International Journal of Network Security, started to pursue the Ph.D. degree. She received a Ph. Vol. 19, No. 1, pp. 1-10, 2017. D. from Computer Science and Engineering from Na- [16] Y. Liu, C. C. Chang, C. Y. Sun, ”Notes on An tional Chung Hsing University in 2012. She is currently Anonymous Multi-server Authenticated Key Agree- an assistant professor of department of Information ment Scheme Based on Trust Computing Using Management, National Taichung University of Science Smart Card and Biometrics”, International Journal and Technology. Her current research interests include of Network Security, Vol. 18, No. 5, pp. 997-1000, information security, network security, data hiding, text 2016. mining and big data analysis. [17] J. W. Lo, J. Z. Lee, M. S. Hwang, Y. P. Chu, ”An Ad- vanced Password Authenticated Key Exchange Pro- Hsien-Tsen Pan received B.S. in Business Admin- tocol for Imbalanced Wireless Networks”, Journal of istration From Soochow University Taipei Taiwan in International Journal of Network Security, Vol.21, No.1, PP.100-104, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).12) 104

1999; M.S in Information Engineering, Asia University Min-Shiang Hwang received M.S. in industrial engi- Taichung Taiwan 2015; Doctoral Program of Information neering from National Tsing Hua University, Taiwan in Engineering, Asia University Taichung Taiwan from 2015 1988; and Ph.D. degree in computer and information sci- till now. From 2011 to 2014, he was the manager in ence from National Chiao Tung University, Taiwan in Enterprise Service Chunghwa Telecom South Branch 1995. He was a professor and Chairman of the Depart- Taichung Taiwan. From 2014 to 2017, he was the ment of Management Information Systems, NCHU, dur- operation manager in Medium division Taiwan Ricoh ing 2003-2009. He was also a visiting professor with Co., Ltd. Taichung Taiwan From 2017 Sep 20 he is University of California (UC), Riverside and UC. Davis the Apple MDM Server Service VP in Get Technology (USA) during 2009-2010. He was a distinguished profes- Co.Ltd. Taipei Taiwan. sor of Department of Management Information Systems, NCHU, during 2007-2011. He obtained the 1997, 1998, Eko Fajar Cahyadi is currently pursuing a Ph.D. 1999, 2000, and 2001 Excellent Research Award of Na- degree in the Department of Computer Science and tional Science Council (Taiwan). Dr. Hwang was a dean Information Engineering at Asia University, Taiwan. He of College of Computer Science, Asia University (AU), receives the B. Eng. and M. Sc. degree in electrical Taichung, Taiwan. He is currently a chair professor with engineering from Institut Sains dan Teknologi Akprind Department of Computer Science and Information Engi- Yogyakarta in 2009, and Institut Teknologi Bandung neering, AU. His current research interests include infor- in 2013, respectively. His research interest includes mation security, electronic commerce, database and data wireless network security, optical fiber communication, security, cryptography, image compression, and mobile and teletraffic engineering. computing. Dr. Hwang has published over 300+ articles on the above research fields in international journals. International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 105

Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data by Chaos Based Arithmetic Coding and Confusion

Mengting Hu1, Hang Gao1, Tiegang Gao2 (Corresponding author: Tiegang Gao)

College of Computer and Control Engineering, Nankai University1 Tianjin Haihe Education Park, No. 38, Tongyan Road, Tianjin, China College of Software, Nankai University2 Tianjin Haihe Education Park, No. 38, Tongyan Road, Tianjin, China (Email: [email protected]) (Received June 8, 2017; revised and accepted Sept. 30, 2017)

Abstract storage space, and they can also enjoy high-quality ser- vices from a shared pool of configurable computing re- In this paper, a kind of secure and efficient ranked key- sources [3,4,6,20]. This makes cloud computing becomes word search over outsourced cloud data by chaos based popular, and various information, including sensitive and arithmetic coding and confusion is proposed. In the pro- important personal e-mails, location information, enter- posed algorithm, data owner firstly extracts keywords and prise documents are being outsourced into the cloud [1,2]. generates index for files set for every keyword, in or- der to protect the sensitive score information relative to Data privacy also becomes an important issue while file, logistic map based arithmetic coding is used to give cloud computing is increasingly prevalent. When peo- order-preserving mapping from original score to arith- ple outsource some personal or enterprise data into the metic coding, moreover, the number of relevant file to cloud, this information may be leaked to unauthorized keyword is expanded and chaos based confusion algorithm users, or the hacked. Although cloud service providers is used to enhance the security of the algorithm. Sec- (CSPs) have some data security measures such as fire- ondly, for the authorized users, they hold different au- walls and virtualization, however, these mechanism don’t thorized key, and generate different trapdoor even for the protect user’s privacy from CSPs itself due to the cloud same keyword, this is achieved by the idea of least signif- storage providers are not trusted [8, 13–15, 26]. icant bit replacement (LSBR). Upon receiving the trap- The traditional approach of privacy preserving of sen- door, cloud server first re-confuses to restore the order- sitive data is to encrypt data before the data is out- preserved coded scores, and then identifies the associated sourced into the cloud [5,16,25], but this may affects the files in a ranked sequence according to the coded scores. data application for authorized user. In the meantime, The proposed scheme can guarantee the security of the some authorized user may only want to use some spe- file, index and inquiry; make it impossible to disclose the cific data files, so, people proposed keyword-based search relation between trapdoor and keyword. Experimental method [12, 17, 21, 23], it permits user to select relative results and analysis are given to testify the security and files to the interested keyword, just as the method used efficiency of the proposed scheme. in plaintext search scenarios. Furthermore, different from Keywords: Least Significant Bit Replacement; Order- the keyword search in plaintext, people proposed search- preserving Mapping; Ranked Keyword Search able encryption schemes, which lets user search encrypted data through keyword search [17,23]. But these methods have some drawbacks, one is that the search results gives 1 Introduction no any relevance of the files with the keyword, users only know that these encrypted files contain interested key- Cloud computing is an emerging computing mode where word. Another problem is that user need spend much the data owner can be permitted to store their data into time to enquiry the encrypted data which cloud gives the cloud, by this kind of pattern of outsourcing the data back, so as to get the desirable file. Because user has no into the cloud, some enterprises and individuals need not knowledge of which file is mostly interrelated to the key- buy any storage devices with the demand of increased word. Based on above considerations, the ranked keyword International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 106 search (RKS) in the cloud data has been proposed. The to keep the files encrypted, and these files can be searched mechanism can operate the encrypted data by returning by a series of keyword. In order to protect the file from the matching files with some keyword in a ranked order attacks, he hopes to create secure ranked searchable index according to certain criteria [27, 29, 30]. Obviously, the from keyword and store them on the cloud server. RKS greatly enhanced the usability of data in the cloud. Authorized user: He hopes to get a series of files rel- In order to avoid leaking lots of sensitive frequency infor- evant to certain or some keywords submitted to cloud mation against the keyword privacy, RKS combined with server, and the cloud server can give ranker files in a cri- some order preserving schemes are given to protect the re- teria, thus the authorized user can easily obtain the files lation between the keyword and file from leaking [18,22]. he want. In this paper, a kind of secure and efficient ranked key- Cloud server: It stores the files and keyword index, word search over outsourced cloud data by chaos based when it receives the request from the user, it can in- arithmetic coding and confusion is proposed. In the pro- quiry index and return the search results according to posed algorithm, data owner firstly extracts keywords and some ranked relevance criteria. generates index for files set for every keyword, in order Application server: Application server is a component- to protect the sensitive score information relative to file, based product that provides middleware services for se- logistic map is combined with bisection method code to curity and state maintenance, along with data access generate order-preserving mapping from original score to and persistence. In our mode, it is a trusted program arithmetic coding, moreover, in order to enhance the se- that handles all application operations between users curity of the coded scores, the number of relevant file and an organization’s backend business applications or to keyword is expanded and chaos based confusion al- databases, and it can also be neglected in this model. gorithm is used to shuffle the scores. Secondly, for dif- ferent authorized users, even for the same keyword, as they hold different authorized key, so they generate dif- 2.1 Design Goals ferent trapdoor, this is achieved by the idea of least signif- This paper aims at presenting a secure and searchable icant bit replacement (LSBR). Upon receiving the trap- encryption scheme for outsourced data in the cloud, the door, cloud server first re-confuses to restore the order- scheme can prevent cloud server from learning some plain- preserved coded scores, and then identifies the associated text information or encrypted files information; moreover, files in a ranked sequence according to the coded scores. the proposed scheme has better communication efficiency. The highlights of our work can be summarized as fol- More specifically, the goals of the paper are given in the lows: follows.

1) In order to avoid leaking any information about key- 1) Privacy goal: Privacy goals include three points, word and its corresponding scores to the file set, which is data privacy, index privacy and keyword and chaos based arithmetic coding and confusion is used enquiry privacy. Data privacy means the data in the to hide the original keyword, meanwhile, the enlarge- cloud is secure and anyone including CSPs can’t ob- ment of number of scores corresponding to certain tain the plaintext of the data stored in the cloud. keyword also provides better privacy-preserving for Index privacy demands that adversary can’t obtain keyword and its scores. information stored in the cloud, including keywords, 2) Un-linkability of trapdoor is realized by the inspira- and scores relative to the keyword. Enquiry privacy tion of LSBR. This means that different user gen- demands that trapdoor generated by query keywords erates different trapdoor even for the same keyword should leak no information about the keywords. query, thus it can avoid adversary deduce the relation 2) Search and retrieval efficiency: The proposed scheme between some trapdoor and someone keyword. should have lower time complexity of search time, 3) Some analyses on the efficiency, security and pro- and moreover, the retrieval efficiency and accuracy grammability are given to show that the proposed also meets the demand with the explosive growth of scheme can be easily implemented even in the re- document size in big data scenario. source constrained mobile devices, and the proposed algorithm has high efficiency for data owner and user. 2.2 Notations Some notations used in the paper are described in the 2 Preliminaries following.

Some basic assumptions based on real application for out- C: The file set to be outsourced, denoted as a set of n sourced data management are given in this section. Con- data files; cerning the roles in the cloud service is data owner, data user and cloud server, as depicted in Figure 1. W : The distinct keywords extracted from file collec- Data owner: He has some set of files, he wants to out- tion C, denoted as a set of m words W = source these files to the cloud server, moreover he wants (w1, w2, . . . , wm); International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 107

Figure 1: System model of cloud data management

id(Fj): The identifier of file that can help uniquely locate 2.3 Logistic Map the actual file; Logistic map is a polynomial mapping; it is given in Equa- tion (2) T (Wi, ku): The trapdoor generated by a user as a search xn+1 = rxn(1 − xn). (2) request of keyword Wi , ku is the secret key of the user; For almost all initial conditions, the sequence of iteration is chaotic with the parameter r = 4 , and it has been used in data shuffling and encryption for all kinds of applica- Γ(Wi): The set of identifiers of the files in C that contain tion [9, 11]. keyword Wi;

Ni: The amount of files containing the keyword Wi. Ob- 2.4 Bisection Method Code viously, N = | Γ(w )|; i i The bisection method in mathematics is a root-finding method that repeatedly bisects an interval and then se- Invertedindex: inverted index is a list of mapping from lects a subinterval in which a root must lie for further keywords to the corresponding set of files that con- processing. Here the method of data code based on bisec- tain this keyword. In order to search the most related tion method is described in the following. file to the keyword, ranking function is often used to achieve the goal. 1) For a real number x ∈ [0, 1) , split the interval [0, 1) into two segments [0, α) and [α, 1), then if x ∈ In this paper, the ranking function is used to measure the [0, α),we selected [a1, b1) = [0, α) and binary bit 0 is relevance of files with certain keyword; it is often given in selected; else if x ∈ [α, 1), we select [a1, b1) = [α, 1) the form of relevance score. Without the loss of generality, and the bit 1 is selected, where α ∈ (0, 1). here, the relevance score is selected as the following: 2) The new interval [a1, b1) is split into two segments in the ration α . That is to say, [a , b ) is divided into X 1 N 1−α 1 1 Score(Q, Fd = (1 + ln fd,t) ln(1 + ). (1) [a1, α × (b1 − a1)) and [α × (b1 − a1), b1). Similarly, | Fd| ft t∈D one new bit 1 or 0 is produced, and new interval is se- lected. After k iterations, a k bit binary is produced, where Q is the searched keyword; fd,t stands for the times and an interval is generated. of term t appears in the file F ; f donates the file num- d t Obviously, when k → ∞ , generated k-bit data is closely bers that contains term t; N is the total number of files; equal to x, so the binary code generated by bisection and |F | is the length of the file F . For more detailed d d method is order-preserving, and it can be used to code description, one can see literature [4]. real number. To realize fast search, the keywords, IDs of files, and the relevance scores are usually organized as an index structure named ”Inverted Index”. A typical example 3 The Proposed Scheme of Inverted Index is shown in Table 1. The cloud server can complete search task through comparing the relevance In this section, the detailed description of the proposed scores stored in the index which represent the importance algorithm is given, and some examples are also given to level of each file for a certain keyword. verify the effectiveness of the algorithm. International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 108

Table 1: Example of posting list of the inverted index

Keyword w File ID F1 F2 ... FΓ(w) Relevant score 6.2 1.3 ... 7.6

3.1 Index Generation Generation of index includes three steps, one is computa- tion of relevance scores for every keyword; next is genera- tion of binary code for all the scores, and the last one is the shuffling of coded scores to generate privacy-preserving index. The flowchart is depicted in Figure 2. 1) Computation of Relevance Scores: Firstly, data owner extracts the keywords W = (w1, w2, . . . , wm) from the file set C, and then, the scores of relevant file for every keyword are calcu- lated by Equation (1). Next, the order-preserving binary code of the scores will be given by chaos based bisection method. 2) Generation of Binary Code: For every keyword wi, i = 1, 2, . . . , m, the hash of the keyword is calculated, marked as Hi , then converts the hash value to initial value x0 of logistic map which is expressed by Equation (2) using the same method as that of [10].

Next, iterate the logistic map for Ninsert = Ntotal − Ni times to obtain Ninsert random numbers, where Ntotal is the desired number of scores, and Ninsert is the number of randomly inserted scores.

Then, for all the scores related to keyword wi, i = 1, 2, . . . , m, labeled as si,t, t = 1, 2,...,Ntotal, trans- forms them into the interval of [0, 1), the interval is notated as [aj, bj), j = 0, the following step can be conducted to transform these scores into the binary code. a. Iterate the logistic map two times to obtain two numbers p and q, then, divide the [aj, bj), j = 0 into two sections according to the ration:

λj αj = (3) µj p q where λj = p+q , µj = p+q b. Obviously, the interval can be divided two sec- tions, one is [a , a + (b − a ) × λ ), the other Figure 2: System model of cloud data management j j j j j one is [aj + (bj − aj) × λj, bj) , if the si,t ∈ [aj, aj + (bj − aj) × λj), we get binary bit ”1”, else the bit ”0” is given. c. If the length of binary code is equal to the de- sired length, then, all the bits construct the bi- nary code of the score, else go to the Step 1) to continue to iterate until the length of the bits is enough. International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 109

Through the above step, all the binary code of the b. Calculate the hash of keyword and secret key scores related to all the keyword could be obtained. ku , denoted by h, and then convert it into 128- 0 The detailed flowchart of the procedure can be de- bit data by Equation (4), it is denoted by T = 0 0 0 w scribed in Figure 2. h128h127 . . . h1.

3) Generation of Privacy-preserving Index: 0 h = h ⊕ h , i = 1, 2,..., 128. (4) In this procedure, in order to protect the binary code i i i+128 from attacks of adversary, we shuffle all binary code where h = hash(w, ku). of the scores with respect to keyword. That is to say, for any keyword wi, i = 1, 2, . . . , m, the following c. For the secret key of inquiry ku , convert it steps are given to shuffle the binary. to the initial value of logistic map, and use Equation (2) to generate 64 different integers a. For above generated binary code of the scores, p1, p2, . . . , p64, which belong to {1, 2,..., 128}, iterates the logistic map for Ntotal times the p1, p2, . . . , p64 can be produced by Equa- to produce Ntotal numbers such as xi, i = tion (5). 1, 2,...,Ntotal,and then rearrange these num- 14 bers in ascending order or descending order to x0 = mod((abs(x0−F loor(abs(x0))×10 , 128)+1. form the sequences which may be expressed as (5)

G1 < G2, . . . < GNtotal . where abs(x)returns the absolute value of

b. Assume the position of xi in Gj, j = x.F loor(x) returns the value of x to the near- 1, 2,...,Ntotal is L, 1 ≤ L ≤ Ntotal, then, the est integers less than or equal to x, mod(x, y) binary code of scorei which is in the position of returns the remainder after division. th i will be moved to the L position of the vec- d. Then, replace the corresponding bit value of po- 0 tor si,j, j = 1, 2,...,Ntotal. Thus all the coded sition p1, p2, . . . , p64 in Tw with the bit value of scores are totally permutated. 64 hw in turn, thus, the new Ts of 128-bit data is Obviously, the binary code of the scores will be totally generated. confused through the above method, and no one can ob- Lastly, the trapdoor T = (T ||k ) is generated, tain any statistical information from the binary informa- w s u where T is a 128-bit binary data, and k is 32-bit tion, and for different keyword, the shuffling is different, s u binary secret key for the user. this characteristic of dynamics can effectively protect the binary code from attacks. 2) Achievement of Ranked Keyword Index: After all the scores corresponding to certain key- When the cloud server receives the trapdoor Tw = word have been shuffled, data owner will store I(wi) = (Ts||ku) for an interested keyword w, the servers will (id(Fi,j)||si,j) to the posting list in the cloud. inquiry the table of encrypted keyword, and obtain the file identifiers and the corresponding encrypted 3.2 Retrieval Phase scores, and then return the ranked file according the binary code. The detailed steps can be given in the In this phase, authorized user can retrieves ranked key- follows. word search, and accordingly can get desired file, this procedure includes trapdoor generation and obtaining of a. The cloud servers firstly use the same method ranked keyword index. as the step 3) used in the generation of trapdoor 1) Generation of Trapdoor: to get 64 different integers p1, p2, . . . , p64, which Trapdoor is used to encrypt the keyword, when au- belong to {1, 2,..., 128}, then extracts the 64- thorized user wants to inquiry certain keyword, he bit data from Ts by the same method as that sends it to the data owner, and the data owner will of 4) in the generation of trapdoor. The 64-bit generate the trapdoor of the keyword and send it to data is labeled with Tc. the cloud server. Here, the trapdoor is an encrypted b. Search the matched keyword. The cloud server query with secret key kuof certain user, and will be searches encrypted keyword index, and trans- used for searching the file corresponding to keyword. form the encrypted keyword into 32 bytes. And It is denoted by T rapdoor(w, ku). The fulfillment of then extracts 2-bits (LSB) least significant of ev- trapdoor function can be described as follows. ery byte, thus, a 64-bit data is got, denoted by h64. If the h64 is equal to T , then the interested a. For the keyword w, the 256-bit hash of the w is s s c inquiry keyword is gotten. firstly calculated, then; convert the hash value into 32 bytes. In the meantime, for the 256-bit c. Get ranked file index. Use the same method hash, we extract 2-bits (LSB) least significant as that in the procedure of generation privacy- of every byte, thus, 64-bit data is got, denoted preserving index to re-shuffle the coded scores 64 by hw . corresponding keyword w to obtain original si,j. International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 110

Figure 3: Generation of binary code International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 111

d. Obtain the front Ni encrypted scores corre- the statistical attacks, the scores are shuffled, and the dis- sponding keyword w, and discard the other in- tribution of shuffled original scores and coded scores are serted scores from the recovered Ntotal sequence depicted in Figures 4(c) and (d). of scores.

4 x 10 e. The server then selects the top-k most relevant 1 3 0.9 files according to the coded scores and sends 2.5 them to the users in the case that k is provided. 0.8 0.7 2

0.6 Remarks: The N stands for the desired number of 1.5 total 0.5 score, this number may play an important role in the pro- 0.4 1 posed scheme. In the basic SSE scheme [11], the number 0.3 m 0.5 P 0.2 is v = i=1 Ni. Here, it is recommended that Ntotal ≥ v. 0.1 0 In the meantime, if k ≤ N , then server return back the 0 5 10 15 20 0 5 10 15 20 i encoded scores top-k most relevant files, else server only return back valid file identifier. (a) Distribution of original scores (b) Distribution of encoded scores 4 x 10 Obviously, ranking keyword query in the proposed 1 3 0.9 scheme has some kind of property of fuzzy query, that is 2.5 0.8 to say, even for the same keyword inquiry, as different user 0.7 2 has different secret key, cloud server may receive different 0.6 1.5 trapdoor, but the different search may refer to the same 0.5 keyword query, this may avoid adversary deduce the rela- 0.4 1 0.3 tion between trapdoor and keyword. Moreover, shuffled 0.5 encoded scores also make statistical attacks impossible. 0.2 0.1 0 0 5 10 15 20 0 5 10 15 20

4 Experiments and Discussions (c) Distribution of shuffled scores (d) Distribution of shuffled encoded scores Figure 4: Data distribution of original and coded score In this section, some experiments are given to testify the effectiveness of the proposed scheme, and some com- parisons and analysis are also presented to show the performance and usability of the scheme. The experi- ments were done by Mathworks MATLAB version 12b in 4.2 Experiment Analysis IntelCpuP [email protected], RAM3.00GB. Here, assume that there are 10 files containing the keyword ”digital 1) Security Analysis: watermark”. The relevant scores of the file are list in the Firstly, for access pattern and search pattern, if the Table 2. same keyword wi is requested in query by differ- In order to resist the attack from the server, the file ent user, the query trapdoor submitted to the cloud scores are expanded to 20, thus,10 random score values server is different, and moreover, for different key- are given, such that 1.34, 4.55, 3.46, 7.66, 5.55, 9.18, 4.33, words in the same user query, the generations of trap- 3.58, 6.89, 8.88, and the generation of encrypted score is door are independent. firstly given. Secondly, the encrypted scores are randomly dis- tributed after they are coded and shuffled, thus the 4.1 Experimental Results original distribution of scores is totally disrupted, and this means that the score distribution is secure Firstly, the hash of keyword is used to encrypt the key- from the viewpoint of statistics features. word, and then we transform the hash value to the initial Lastly, despite the coded scores has order-preserving value of the logistic map, the next is to encode all the property, the final coded scores in the cloud has no scores. relevance between any two adjacent scores, it can be Here, the 256-bit hash value of keyword ”digi- seen from the experimental results in the Figure 4(c). tal watermark” and the 128-bit encrypted keyword are Thus, the relevance of scores is concealed, the data ”F9437D7F3598D8FB1CD9EE8D1E27A1DAC7E4E96D3- is secure. B8C56ABA3080B4A29ACCD80” and ”36C3E9CF4032BE45E05CE65118F7E706”, respec- In a word, in the proposed scheme, the coded scores tively. are the only information that adversary can utilize; After the relevant scores to the keyword digital water- cloud server can only get sorted coded scores. Even mark are coded, the distribution of original scores and if cloud server can learn partial information from the coded scores can be seen in Figure 4. It can be seen that confusion process, as it is a one-time pad for differ- the coded scores are order-preserving. In order to resist ent keyword, and different keys are used for different International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 112

Table 2: Example of posting list of the inverted index

Keyword w File ID F1 F2 F3 F4 F5 F6 F7 F8 F9 F10 Relevant score 6.78 7.23. 4.12 5.26 3.22 9.55 1.98 1.24 5.66 7.89

keywords and scores, thus, the keyword privacy can Because the 16-bit length of code is enough for be well preserved in the scheme. representing a number, so the difference of effi- For example, user A with the 32-bit key ciency affected by length of code is very small. ”4053415001” and user B with the key ”2872283436” As the code method is a simple binary opera- submit the inquiry keyword ”digital watermark”, re- tion, the algorithm efficiency is enough to meet spectively. The trapdoor generated by data owner for the demands for cloud storage and computing, user A is ”7B756725317B019806E2368E7D4AB07B”; even for the resource constrained mobile de- and however, the trapdoor generated for user B vices. is ”71EA8EC1B46B023F6A626531E0E7F0AB”. 0.04 Length of code is 15 Apparently, the trapdoor is different, but when Length of code is 16 they are submitted to the cloud server, they are 0.035 transformed and point to the same keyword ”digital 0.03 watermark”. 0.025

0.02 As for the random distribution of coded scores, it can times (second) be explained by another example. Assume that the 0.015 keyword ”digital watermark” and ”information hid- 0.01

0.005 ing” all have the same relevant scores to the files as 1 2 3 4 5 6 7 8 9 10 11 that in the Table 1, then distribution of coded scores size of the relevance score for keyword ”digital watermark” and ”information Figure 6: Efficiency of code for different length of code hiding” can be depicted in Figure 5. It can be seen from the Figure 5 that the coded score is different and the distribution of the coded score is also differ- b. Inquiry Efficiency ent despite the original scores are the same for two For the inquiry efficiency, some experiments keywords, so it is impossible to get any information are conducted. Firstly, the coded keywords from coded scores stored in the cloud. are stored in cloud server, remote computer

4 x 10 carries out inquiry of certain keyword, the 7 Keyword "IH" Keyword "DW" test is given for the number of keyword be 6 2000,4000,6000,8000,10000,12000. The time ef- 5 ficiency can be depicted in Figure 7. It need to 4 be explained that there are many factors, such

3

coded scores as the deploy of the server and the design model

2 of database all affect the inquiry efficiency, so it

1 is more precise to give inquiry time in the server.

0 0 5 10 15 20 number of scores 1000

900

800

Figure 5: Different distribution of coded scores for the 700 same original scores 600

500

400 inquiry time (ms) 300 2) Efficiency Measurement: 200 100

0 a. Index Construction In the proposed scheme, the 0 2000 4000 6000 8000 10000 12000 The amount of data length of the code for scores affects the perfor- mance of the algorithm, here, we tested the ef- Figure 7: Inquiry time for different amount of data fect of the length of the code, shown in Figure 6, it can be seen from the Figure 6, the size of the score is 180, and the time cost for coding is c. Comparison about 35 milliseconds. Firstly, from the security point of view, the International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 113

proposed scheme can guarantee the security of Acknowledgments data, index and inquiry, cloud server can’t ob- tain any information relative some inquiry, and The work was partly supported by the Program of Na- owing to the randomness of the coding, differ- tional Science Fund of Tianjin, China (Grant NO. 16JCY- ent keyword use different coding, therefore, it is BJC15700). The authors gratefully acknowledge the also secure against attack of decryption. In this anonymous reviewers for their valuable comments. aspect, some existing scheme such as the non- linear order-preserving index is insecure against attack [19]. References Secondly, from the efficiency point of view, the [1] D. S. AbdElminaam, “Improving the security of cloud proposed scheme generates binary code through computing by building new hybrid cryptography algo- bisection method; it is obvious that the algo- rithms,” International Journal of Electronics and In- rithm has the higher efficiency of computation formation Engineering, vol. 8, no. 1, pp. 40-48, 2018. than that of the quasi-linear or nonlinear order- [2] M. H. R. Al-Shaikhly, H. M. El-Bakry, and A. A. preserving coding, such as [19, 22–24]. Saleh, “Cloud security using Markov chain and ge- Lastly, from the unlinkability point of view, dif- netic algorithm,” International Journal of Electronics ferent from some generation algorithms of trap- and Information Engineering, vol. 8, no. 2, pp. 96-106, door [17, 24], the proposed algorithm uses the 2018. idea of least significant bit replacement (LSBR) [3] M. Armbrust, A. Fox, R. Griffith, et al. ”Above the to fulfil the unlinkability of the trapdoor. The clouds: A Berkeley view of cloud computing,” Techni- length of the trapdoor is 128-bit, the relative cal Report UCB-EECS-2009-28. Berkeley: University data to the keyword is randomly inserted into of California, pp.1-23, 2009. the 128-bit data, so it is difficult to deduce the [4] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, I. relation between some trapdoors and some key- Brandic, ”Cloud computing and emerging it plat- word. forms: Vision, hype, and reality for delivering comput- ing as the 5th utility,” Future Generation Computer As for the programmability, the proposed scheme can be Systems, vol. 25, pp. 599-616, 2009. [5] Y. C. Chen, W. L. Wang, M. S. Hwang, “RFID au- easily implemented by any program language; it has the thentication protocol for anti-counterfeiting and pri- same better programmability as that of some existing vacy protection”, in The 9th International Conference scheme [19, 22]. on Advanced Communication Technology, pp. 255– 259, 2007. [6] P. S. Chung, C. W. Liu, and M. S. Hwang, “A study of 5 Conclusions attribute-based proxy re-encryption scheme in cloud environments”, International Journal of Network Se- In this paper, a kind of secure and efficient ranked key- curity, vol. 16, no. 1, pp. 1-13, 2014. word search over outsourced cloud data by chaos based [7] R. Curtmola, J. A. Garay, S. Kamara, and R. Os- arithmetic coding and confusion is proposed. In the pro- trovsky, ”Searchable symmetric encryption: Improved posed algorithm, data owner generates trapdoor of key- definitions and efficient constructions”, in Proceeding word and index for files set for every keyword, in order ACM Conferece Computer and Communications Se- to protect the sensitive score information relative to file, curity, pp. 79-88, 2006. logistic map based arithmetic coding is used to give order- [8] I. Damgard, T. Jakbosen, J. Nielsen, J. Pagter, ”Se- preserving mapping from original score to arithmetic cod- cure key management in the cloud,” Cryptography and ing, moreover, the number of relevant file to keyword is Coding, pp. 270-289, 2013. expanded and chaos based confusion algorithm is used to [9] T. Gao, Q. Gu, Z. Chen, ”Image encryption based enhance the security of the algorithm. For the authorized on a new total shuffling algorithm”, Chaos, Solitons, users, even they hold different authorized key, and gener- Fractals, vol. 38, no. 1, pp. 213-220, 2008. ate different trapdoor, they can also enquiry the same in- [10] H. Gao, M. Hu, T. Gao, R. Cheng, ”Double veriable terested keyword, and this is achieved by the idea of least lossless secret sharing based on hyper-chaos generated significant bit replacement (LSBR). The detailed steps random grid”, International Journal of Network Secu- of flowchart of the proposed scheme are described in de- rity, vol. 19, no. 6, pp.1005-1015, 2017. tail; some experiments are given to testify the usability [11] Q. Gu, T. Gao, ”A novel reversible robust water- of the algorithm. Lastly, some analysis and comparisons marking algorithm based on chaotic system,” Digital are given to highlight the merits of the proposed scheme. Signal Processing, vol. 23, no. 1, pp. 213-217, 2013. In the future, the system model on the addition, dele- [12] S. T. Hsu, C. C. Yang, and M. S. Hwang, “A study tion and modification of the files will be further re- of public key encryption with keyword search”, Inter- searched, and the inquiry model of multi-keyword will be national Journal of Network Security, vol. 15, no. 2, probed and analyzed. pp. 71-79, Mar. 2013. International Journal of Network Security, Vol.21, No.1, PP.105-114, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).13) 114

[13] M. S. Hwang, C. C. Lee, T. H. Sun, “Data error [25] K. Puttaswamy, S.Wang, T. Steinbauer, D. Agrawal, locations reported by public auditing in cloud storage A. Abbadi, C. Kruegel, B. Zhao, ”Preserving location service,” Automated Software Engineering, vol. 21, no. privacy in geosocial applications”, IEEE Transactions 3, pp. 373–390, Sep. 2014. on Mobile Computing, vol. 13, no. 1, pp. 159-173, [14] M. S. Hwang, T. H. Sun, C. C. Lee, “Achieving dy- 2014. namic data guarantee and data confidentiality of pub- [26] S. Subashini and V. Kavitha, ”A survey on security lic auditing in cloud storage service,” Journal of Cir- issues in service delivery models of cloud computing,” cuits, Systems, and Computers, vol. 26, no. 5, 2017. Journal of Network and Computer Applications, vol. [15] T. Jaeger, J. Schiffman, ”Outlook: Cloudy with 34, no. 1, pp. 1-11, 2011. a chance of security challenges and improvements,” [27] C. Wang, N. Cao, K. Ren, and W. Lou, ”Enabling IEEE Security Privacy, vol. 8, no. 1, pp. 77-80, 2010. secure and efficient ranked keyword search over out- [16] A. Khoshgozaran, C. Shahabi, ”Private buddy sourced cloud data”, IEEE Transactions on Parallel search: Enabling private spatial queries in social net- and Distributed Systems, vol. 23, no. 8, pp. 1467-1479, works”, in Proceedings of the IEEE International Con- Aug. 2012. ference on Computational Science and Engineering, [28] I. H. Witten, A. Moffat, T. C. Bell, ”Managing gi- Vancouver, Canada, pp. 166-173, 2009. gabytes: Compressing and indexing documents and [17] J. Li, Y. Lin, M. Wen,G. Yin, ”Secure and verifi- images”, IEEE Transactions on Information Theory, able multi-owner ranked-keyword search in cloud com- vol. 41, no. 6, 1995. puting”, in Proceedings of International Conference [29] Z. Xu, W. Kang, R. Li, K. Yow, and C. Xu, ”Effi- on Wireless Algorithms, Systems, and Applications, cient multi keyword ranked query on encrypted data Qufu, China, pp. 325-334, 2015. in the cloud”, in Proceeding IEEE 19th International [18] K. Li, W. Zhang, C. Yang, N. Yu, ”Security analy- Conferece Parallel Distribution System, pp. 244-251, sis on one-to-many order preserving encryption-based 2012. cloud data search”, IEEE Transactions on Informa- [30] W. Zhang, Y. Lin, S. Xiao, J. Wu, S. Zhou, ”Privacy tion Forensics and Security, vol 10, pp. 918-1926, 2015 preserving ranked multi-keyword search for multiple [19] D. Liu, S. Wang, ”Nonlinear order preserving index data owners in cloud computing”, IEEE Transactions for encrypted databased query in service cloud en- on Computers, vol. 65, no. 5, pp. 1566-1577, 2016. vironments”, Concurrency and Computation-Practice and Experience vol. 2513, pp. 1967-84, 2013. [20] L. Liu, W. Kong, Z. Cao, J. Wang, “Analysis of Biography one certificateless encryption for secure data sharing in public clouds,” International Journal of Electronics Mengting Hu was born in Shanxi Province, China, in and Information Engineering, vol. 6, no. 2, pp. 110- 1993. She received the B. S. degree in Software Engineer- 115, 2017. ing from Tongji University, Shanghai, China, in 2015. She [21] Q. Liu, G. Wang, J. Wu, ”Secure and efficient privacy is currently working toward the M. S. degree in Software preserving keywords searching for cloud services,” Engineering from Nankai University, Tianjin, China. Her Journal of Network and Computer Applications, vol. research interests include cloud computing and Informa- 35, pp. 927-933, 2012. tion Retrieval. [22] Z. Liu, X. Chen, J. Yang, C. Jia, L. You, ”New order Hang Gao was born in Tianjin City, China, in 1992. preserving encryption model for outsourced databases He received the B. S. degree in Software Engineering in cloud environments”, Journal of Network and Com- from University of Electronics Science and Technology of puter Applications, vol. 59, pp. 198-207, 2016 China, Chengdu, China, in 2015. He is currently work- [23] Y. Lu, ”Privacy-preserving logarithmic-time ing toward the M. S. degree in Software Engineering from search on encrypted data in cloud,” in Proceed- Nankai University, Tianjin, China. His research interests ings of 19th NDSS, SanDiego, California, USA, include information security and cloud computing. 2012. (http://dblp.uni-trier.de/db/conf/ndss/ ndss2012.html#Lu12) Tiegang Gao received Ph. D degree from Nankai Uni- [24] S. K. Pasupuleti, S. Ramalingam, R. Buyya, ”An ef- versity, Tianjin, China in 2005. He is a professor in college ficient and secure privacy-preserving approach for out- of software, Nankai University, China since 2006. His re- sourced data of resource constrained mobile devices in search interests include cloud computing and information cloud computing,” Journal of Network and Computer security, he has published or co-authored more than 100 Applications, vol. 64, pp. 12-22, 2016. papers in related field. International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 115

Three Kinds of Network Security Situation Awareness Model Based on Big Data

Bowen Zhu, Yonghong Chen, Yiqiao Cai (Corresponding author: Bowen Zhu)

College of Computer Science and Technology, Huaqiao University Xiamen, 361021, China (Email: [email protected]) (Received June 7, 2017; revised and accepted Sept. 12, 2017)

Abstract each object, which is a holistic and global concept. NSSA refers to understanding the meaning of these elements in In this paper, we have proposed three kinds of network a given time and space and to predict the possible effects. security situation awareness (NSSA) models. In the era of Therefore, NSSA is a cognitive process of the network se- big data, the traditional NSSA methods cannot analyze curity. It is generally believed that NSSA is comprised the problem effectively. Therefore, the three models are of three modulesNSSD, NSSU, and NSSP [4]. The NSSA designed for big data. The structure of these models are model is shown in Figure 1. There are many problems very large, and they are integrated into the distributed that need to be solved. Such as low accuracy, poor fore- platform. Each model includes three modules: network casting accuracy, poor evaluation, poor performance and security situation detection (NSSD), network security sit- low efficiency, etc. uation understanding (NSSU), and network security sit- uation projection (NSSP). Each module comprises differ- ent machine learning algorithms to realize different func- tions. We conducted a comprehensive study of the safety of these models. Three models compared with each other. The experimental results show that these models can im- prove the efficiency and accuracy of data processing when dealing with different problems. Each model has its own advantages and disadvantages. Keywords: Big Data; Machine Learning; Network Secu- Figure 1: Network security situation awareness model rity Situation Awareness

Abawajy et al. [1] studied the Large Iterative Multi- 1 Introduction tier Ensemble (LIME) classifiers designed specifically for big data security. The classifier uses many basic classi- Big data has become a hot topic in recent years. Many of fication algorithms as the basis for an iteration to form this dataset is generated in the network environment, its a higher-level classifier to solve big data security issues. characteristics are a large size and high dimension. It is a By reference to LIME classifier, it is not difficult to find huge challenge for knowledge discovery, such as network that the algorithm plays a key role in big data analy- traffic anomalies. At the same time, the research and sis. The LIME classifier provides a good module fusion application of NSSA have gained wider attention as the strategy based on a variety of algorithms to efficiently Internet security has become more important [9]. solve big data issues in NSSA. The three NSSA models The scale and topology are expanding and complicated, based on big data are implemented under the guidance with the development of the Internet infrastructure. It of LIME classifier. Therefore, each model combines the makes the various threat in the network more subtle. data pre-processing function in NAAD and analyzes the The researchers hope to use NSSA to detect cyber-attacks association rules based on the dataset in NSSU to im- from a large number of high-dimensional data which has prove the accuracy of NSSP. And the parallel experiment a large amount of noise. Then they can understand the of each model is implemented on a distributed platform security trends of the whole network from a macro per- which improves the efficiency of NSSA. spective [4, 6, 11].The situation refers to the synthesis of The task of the first module is to identify all activi- International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 116

Figure 2: N-NSSA model

ties in the system and the feature of these activities. It work Security Situation Awareness Model Based on Neu- is comprised of data preprocessing and activity model- ral Network (N - NSSA model), Network Security Sit- ing. The network data has high dimension and large size. uation Awareness Model Based on Random Forest (F - Therefore, the proposed module adopts data normaliza- NSSA model) and Network Security Situation Awareness tion and dimensionality reduction methods based on fea- Model Based on Star Structure (S - NSSA model) [8, 14, ture decomposition in data preprocessing [10]. Usually, 15]. These models analyze the various dangerous signals the number of rows in network data is much larger than that exist in the data based on knowledge reasoning. Each columns. So we need to limit the number of characteris- model classifies these threats and projects the results of tics within a range to reduce the dimensions of the data, the situation to the actual network environment. More which makes the feature more obvious. Currently, the specifically, the contribution of this paper is summarized focus of activity modeling is divided into methods with as follows: expertise-based and without prior knowledge. In this pa- per, the latter is used for activity modeling which based • In view of the shortcomings of the existing models, on the clustering algorithms (which can group according three novel models are proposed according to the idea to the similarity and dissimilarity) [7]. of LIME classifier. The task of the second module is to analyze the se- • According to the feature of the three models, the mantics and relation of network activities to infer the in- advantages and disadvantages of the models are an- tent of an attacker and anticipate possible attacks. The alyzed. module adopts the association rule mining algorithm [12], which mainly analyzes the logical relationship between • Experiments on distributed parallel platforms attacks (or multiple recurring patterns and concurrency demonstrate the availability and effectiveness of the relation). And then deduces the possible changes of at- three models. tack. In general, the entire dataset needs to be scanned cyclically when the association rules are analyzed. As the 2 Network Security Situation data grows, the cost of analysis will increase geometrically and the cost is unbearable when faced with big data. This Awareness Model module uses a parallel mining method which only requires scanning the dataset twice. On the basis of the scan, each In this section, we will introduce the structure and im- node in the parallel platform performs the association rule plementation of the three models. And then explain the analysis and summarizes the relevance of the dataset [13]. advantages and disadvantages of these models. The task of the third module is to assess the damage condition which has occurred in the network and make a 2.1 N - NSSA Model prediction about the potential threat. Each model will be As shown in Figure 2, this is the N-NSSA model, the described in detail in Section 3, and then the experimental model combined with a three-tier feed forward neural net- results will be analyzed in Section 4. work. In the input layer of the neural network, it contains In this paper, we proposed three NSSA models: Net- the first and second modules of NSSA. In the hidden layer, International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 117 it will integrate the results of NSSU and transmit them tree to a leaf node forms a category prediction of these to output layer to adjust the error in the neural network objects in processed data. The model uses a top-down and make the situation projection. greedy strategy when building a decision tree. It selects The N - NSSA model is a back propagation network. the best-performing attributes at each node to classify On the direction of data transmission, it is not only from processed data and repeats the process until the tree is the input layer to hidden layer to output layer but also the able to classify these data accurately or all attributes are feedback from the output layer to the input layer. This used. structure makes the model has a self - learning function The building process of each tree in the model is rel- which can change the behavior according to the feature atively fast and there is no special requirement for the of the input data. This characteristic makes the model distribution of processed data. There is no requirement better able to classify the untrained pattern. And it also and restriction on the pre-processing of the data and there can effectively detect the nonlinearity inherent rules of is a high tolerance for the missing values. The model is data. The model has a complex structure, so it is not not susceptible to extreme values and it can be used to sensitive to some of the outliers in the data which makes deal with both linear and nonlinear relationship in pro- the model better able to tolerate noisy data. cessed data. In the third module, the model summarizes Although the N-NSSA model which incorporated into the conclusions of leaf nodes which generated by each de- the neural network has the above advantages, there are cision tree and outputs the results under the majority also some disadvantages. The neural network requires a rule. relatively long time to train the model, especially in the There are also some disadvantages of the F-NSSA face of big data. And the neural network is more sensi- model. In the process of building a decision tree, the tive to missing values and therefore require appropriate model uses the greedy strategy which seems to make the data preprocessing. The powerful learning ability of neu- current best choice, but not from the overall considera- ral network makes N-NSSA model prone to over fitting. tion. So it is easy to have a locally optimal choice. At the same time, the model lacks a variety of evaluation meth- 2.2 F - NSSA Model ods and does not suitable for continuous variables. In the case of an excessive number of variables, there will be the As shown in Figure 3, this is the F-NSSA model which risk of over fitting. consists of multiple decision trees. Its output result is determined by the number of output results of all decision 2.3 S - NSSA Model trees. The structure is divided into three layers from top to bottom. We can get the final result of NSSA at the As shown in Figure 4, this is the S-NSSA model which leaf nodes. The three modules of NSSA converged in this is implemented by reference to the star topology. It can three-tier structure. The NSSD of the first module is be divided into two parts: the peripheral part (which is performed at the top root node. Its result is transmitted divided into N nodes according to processed data) and to the second module for NSSU. Finally, the NSSP of the a core part. The peripheral part contains two modules third module is performed at each leaf node. (NSSD & NSSU) and the results of NSSU will be trans- mitted to the core part. The core part of the S-NSSA model is based on the Naive Bayesian algorithm. Bayesian is a very mature statistical classification method, it is mainly used to predict the possibility of a relationship between members of the class (For example, the proba- bility of a given category is determined by the properties of a given observation value). The S-NSSA model collects the results of each node in the peripheral part to under- stand the results. The model gets the overall situation through data fusion. In the S-NSSA model, it is less sensitive to missing value due to the advantages of the Naive Bayesian al- gorithm. And the algorithm is simple, so the efficiency of classification is stable. In the face of the small-scale dataset, the model has a very good performance. It can Figure 3: F-NSSA model handle multi-classification tasks. When dealing with big data parallelization is a good choice. It is not difficult to find that the main difficulty in estimating the poste- In this model, the input data will be divided into rior probability based on the Bayes’theorem is that the smaller parts. These small parts build tree roots, form class conditional probability is the joint probability on all branches and a number of leaf nodes (each node repre- attributes and it is difficult to obtain directly from the sents a conclusion). A path from the root of a decision limited train-set. In order to avoid this obstacle, the tra- International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 118

analyzed on each tree, so its complexity is o(lognd). In the N-NSSA model, the neural network is a main structure of the model and the other modules are in- cluded. So the complexity of this model is mainly de- termined by these process. The time complexity of the N-NSSA model is o(n (logd + 1) t + lognd + 1) in the process of self-learning stage for error backpropagation. The forest is the main part of the F-NSSA model and the consumption of each node is the process of building a tree. The complexity is mainly related to the dimension of the data and the amount of data. So the complexity is o(nd). So the complexity of the F-NSSA model is o((log + 1) t + nd).The S-NSSA model is divided into two part. The peripheral part is distributed in each node, its complex- ity is o(nt (logd + 1) + lognd). The core part uses the Bayes’theorem. Its complexity is mainly related to the size of the data, so the time complexity of the model is: o(nt (logd + 1) + lognd) + n).

Figure 4: S-NSSA model 3 Experimental Results and Anal- ysis ditional Naive Bayesian Classifier takes the assumption Wu et al. [12] argue that the challenges of big data mining that all attributes are independent of each other (each are divided into three levels. One of them is the challenge attribute of processed data affects the classification re- of the data mining platform. Due to a large amount of sult independently). But this is unavoidable in the actual data, big data processing requires the use of parallel com- processing of the data. puting architectures. One of the major ways to deal with big data depends on the Hadoop platform [2]. The com- 2.4 Complexity Analysis putational framework used in this paper is MapReduce in the Hadoop ecosystem which is a batch parallel process- In this subsection, a theoretical analysis is conducted to ing computational framework with many machine learn- access the computational complexity of the three NSSA ing and data mining algorithms. Using the computational models. The efficiency of these models will be affected by framework to derive the relation between processed data the computer hardware, software and the scale of the clus- from a large number of historical data. On this basis to ter. These factors will mask the merits of these models. predict the next action of the attacker accurately [3]. So it is assumed that the time complexity of these models Our experiments were designed to evaluate the NSSA is related to the scale of the issue. Each model is divided of the three models. It is necessary to evaluate the three into three modules and their complexity determines the models proposed in this paper. The performance of each complexity of each model. First, we define several sym- model cannot depend only on theoretical analysis. The bols for subsequent analysis. N: the number of objects results of these experiments shown below will help further to be processed, K: the number of categories contained in study. Each model has advantages and disadvantages. the data, t: the number of iterations in the process, and The model performance was tested in the 1999 KDD - d: the dimension of the data. cup dataset and the 2015 CAIDA dataset. Three sets of In the NSSD module, the data preprocessing operation experiments were conducted in this paper and each set is carried out. The dimension reduction is the generation was divided into two or three parts [5]. of more obvious data from a large number of high di- mensional data and its complexity is o(nlogd * t + nt). 3.1 Comparison of True Positive Rate The data is classified according to the characteristics of the data. The analysis process is mainly based on the The first set of experiments was divided into three parts. distance between the data, and its complexity is o(ntk). The experiment was carried out on the 1999 KDD-CUP When parallel operated in the distributed platform, it is dataset. The dataset defines a network connection record calculated by multiple nodes in the cluster at the same as a sequence of TCP packets from start to end in a time, so k and t can be considered a constant, so the certain period of time and during this time the data is time complexity is o(n). The correlation analysis of the transmitted from the source IP address to the destination data is carried out in the NSSU module. In the process IP address under a predefined protocol (such as TCP or of analysis, an optimized strategy is used to analyze the UDP). Each network connection record is marked as nor- data according to the attributes and these attributes are mal or anomaly and the abnormal type is subdivided into International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 119 four major categories. There are 39 types of attacks in over 90%. In this part of the experiment, the true positive the dataset, 22 types are in the training set and the rest rate of N-NSSA model and S-NSSA model exceeds the F- are in the test set. The same dataset is used in the same NSSA model. After preprocessing the primary data, the set of experiments. N-NSSA model and S-NSSA model overcame the sensitiv- ity of the dataset, thus the true positive rate was higher.

3.2 True Positive Rate and False Positive Rate The second set of experiments was divided into three parts which use the 1999 KDD-CUP dataset. The dataset is di- vided into four anomalies (DOS, R2L, U2R, PROBING). Each anomaly contains a number of attack types. In the experiment, we re-classify all the attack types in 4 and then add a large amount of normal data to each class to simulate a real network environment. The first part of the experiment uses the N-NSSA model to verify the true Figure 5: Comparison of true positive rate positive rate and false positive rate. The second part of the experiment uses the F-NSSA model to verify the true positive rate and false positive rate. The third part of the The first part of the experiment compares the true pos- experiment uses the S-NSSA model to verify the true pos- itive rate of the third module of each model. The NSSP itive rate and false positive rate. The experimental results module is implemented by the core algorithm of the model are shown in Figure 6. We evaluate the performance of (naive Bayesian, random forest, neural network). The ex- each model through two evaluation indicators. The first perimental results are shown in Figure 5. From the figure, indicator is the true positive rate. The second indicator we can see that the true positive rate of F-NSSA model is is the false positive rate. From the figure, we can see that better than the other two models and the N-NSSA model the true positive rate of each model is more than 90%, is the worst. Because the primary data is not prepro- and the false positive rate is less than 10%. They are cessed. There are extreme values and noise in the data. able to detect each anomaly well. So the three models The F-NSSA model has no requirement for the distribu- for network security situational awareness can have good tion of the data and it has a good tolerance to the missing performance. values. It is not easily affected by the extreme values, so the F-NSSA model is better. In the second part of the experiment, we compare the first and third modules. The primary data is preprocessed in the first module. The dimensions of primary data are high and it contains noise. These data is normalized and reduced which is beneficial for subsequent analysis after preprocessing. And then analyzing the relationship be- tween these data to modeling activities (identify activi- ties and extract features through clustering). This makes the characteristics of each category of experimental data more obvious. And then the results of NSSD will be trans- mitted to the third module (NSSP). Comparing the true positive rate of each model. The experimental results Figure 6: Comparison of TP & FP shown in Figure 5, we can see from the figure that the true positive rate of this experiment is improved and the F-NSSA model is still the best. The third part of the experiment includes all the mod- 3.3 Size-up and Speed-up ules of the model. The NSSU module analyzes the logical relation between the anomalies. Finding the association The third set of experiments is divided into two parts. rules between each anomaly that is hidden in the data. The experimental data is based on the CAIDA dataset. And infer the possible changes in the anomaly. Under- The dataset contains passive detection Internet anony- standing the meaning of the anomaly and transmitting mous data. The size of the dataset reaches to TB level. the results of NSSU to NSSP to do the final judgment This set of experiments uses the dataset about 20% of NSSA. From the experimental results in Figure 5, we (20GB). can see that the true positive rate of the three models pro- The first part of the experiment is the time-efficiency posed in this paper is much higher and the accuracy rate is comparison of the three models. In the case of the same International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 120 node (10 nodes) in the Hadoop cluster to process the NSSA model make it relatively fewer data transmitted dataset with different size. The experimental result is between each node in the process of NSSA and the accel- shown in Figure 7. In this part of the experiment, seven eration ratio curve is approximately linear. The first two sizes of the dataset are divided (100MB, 500MB, 1GB, module of the S-NSSA model is the same as the F-NSSA 2GB, 4GB, 8GB, and 16GB). From the curve, in the fig- model. Each node independently processes the data so ure, we can see that the three models are relatively stable that it has a good parallel effect. However, there is a when dealing with big data. lot of data transmitted between all the nodes in the third module. So the acceleration ratio decreases as the number of nodes increases.

Figure 7: Size-up Figure 8: Speed-up In the figure, we can get this conclusion. The N-NSSA model always consumes the most time when dealing with According to the experiments, we can draw the follow- the same size of the dataset. The S-NSSA model is fol- ing conclusions. Firstly, we have a higher demand for the lowed. The F-NSSA model is most efficient. Because accuracy of NSSA, but the rules between the dataset are the N-NSSA model contains a self-learning stage for er- not easy to mining. And it is not sensitive to the time ror backpropagation which requires constantly learning efficiency. The N-NSSA model is more competent. The to adjust the error of judgment. So that can improve the accuracy of the N-NSSA model will increase with itera- accuracy of NSSA model. This process sacrifices some tion. However, we should pay attention to the size of the time but improves the accuracy. The third part of the training set to avoid the over-fitting situation. Secondly, first set of the experiment can prove it. From the per- when the size of data is very large and contains a lot spective of a structural feature of the S-NSSA model. Al- of extreme values or noise. The F-NSSA model is more though the peripheral module is parallelized at the same appropriate because the structural feature of the model time by many nodes, all the data in the NSSP module is makes it less sensitive to data distribution and easier to processed through the central core part. This leads to a handle big data. Finally, when the first two models are poor performance in terms of time efficient than the F- not able to adapt to the situation, the S-NSSA model is a NSSA model. The F-NSSA model divides a large amount good choice. Due to the stability of the model, it makes of data into relatively small units and then processes a the true positive rate is better and the parallel process- relatively small portion of the data at each node. Each ing of peripheral part of the model makes time efficiency node builds one decision tree which constitutes the entire can also be accepted. So it is better to choose a tar- network security situation. The final result is judged by geted model when confronted specific data and different each node which avoids one-sidedness and makes it very requirements. efficient when dealing with big data. The second part of the experiment is the process- ing time comparison between the three models. In the 4 Conclusions Hadoop cluster, the number of nodes increases gradually when the amount of data is constant. The experimental This paper introduces and studies three kinds of NSSA result is shown in Figure 8. With the expansion of the model. These models have been implemented on the dis- cluster, the communication and transmission consump- tributed platform and achieved a good experimental re- tion between each node increases. It can be seen from the sult. And we describe the composition of each model. figure that the acceleration ratio in the N-NSSA model These models can deal with different issues. The S-NSSA is low. Because the consumption between the nodes is model has a performance bottleneck. It is not difficult large during the error adjustment stage of the model. In to find out from the experiment that the acceleration ra- this part of the experiment, the F-NSSA model and the tio of the S-NSSA model decreases with the increase of S-NSSA model has the similar acceleration ratio. As we nodes. From this point, the other two models can bet- have already mentioned, the structural features of the F- ter handle multi-source heterogeneous data. The error International Journal of Network Security, Vol.21, No.1, PP.115-121, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).14) 121 backpropagation algorithm based on the neural network [8] V. D. Katkar and S. V. Kulkarni, “A novel paral- can improve the accuracy of N-NSSA model by contin- lel implementation of naive bayesian classifier for big uous learning which is a great advantage of the model. data,” in International Conference on Green Com- The tree-building process can well integrate with the dis- puting, Communication and Conservation of Energy, tributed platform, so the F-NSSA model has high speed pp. 847–852, 2014. in the face of big data. [9] L. Liu, Z. Cao, C. Mao, “A note on one outsourc- We conducted a systematic scientific experiment. The ing scheme for big data access control in cloud,” In- experimental results show that the existing machine learn- ternational Journal of Electronics and Information ing and data mining algorithms are effective. When par- Engineering, vol. 9, no. 1, pp. 29–35, 2018. allelizing these algorithms on the Hadoop platform to deal [10] Y. Liu, Z. L. Sun, Y. P. Wang, and L. Shang, “An with big data. This gives us a new idea to study and deal eigen decomposition based rank parameter selection with new issues brought by big data. When the stan- approach for the nrsfm algorithm,” Neurocomputing, dalone cannot solve these issues, we can solve it by calling vol. 198, no. C, pp. 109–113, 2016. the parallelized algorithm of the iterative fusion. [11] E. U. Opara and O. A. Soluade, “Straddling the next cyber frontier: The empirical analysis on network security, exploits, and vulnerabilities,” International Acknowledgments Journal of Electronics & Information Engineering, vol. 3, no. 1, pp. 10–18, 2015. Above work is supported by National Science Founda- [12] X. Wu, X. Zhu, G. Q. Wu, and W. Ding, “Data min- tion (NSF) of China under grant Nos.61370007, 61572206, ing with big data,” IEEE Transactions on Knowledge UI405254. Fujian Provincial Natural Science Foundation & Data Engineering, vol. 26, no. 1, pp. 97–107, 2014. of China under grant No.2013J01241, and Program for [13] Y. Xie, Y. Ma, C. Ling, and G. Wang, “A novel New Century Excellent Talents of Fujian Provincial un- parallel clustering algorithm PXM based on FP- der grant No.2014FJ-NCET-ZR06. Huaqiao University Tree,” in International Symposium on Instrumenta- graduate research innovation ability cultivation project tion & Measurement, Sensor Network and Automa- of China under No, 1511314013. tion, pp. 475–481, 2012. [14] C. Zhang and D. Yuan, “Fast fine-grained air quality index level prediction using random forest algorithm References on cluster computing of spark,” in Ubiquitous Intelli- gence and Computing and IEEE International Con- [1] J. H. Abawajy, A. Kelarev, and M. Chowdhury, ference on Autonomic and Trusted Computing and “Large iterative multitier ensemble classifiers for se- IEEE International Conference on Scalable Comput- curity of big data,” IEEE Transactions on Emerging ing and Communications and ITS Associated Work- Topics in Computing, vol. 2, no. 3, pp. 352–363, 2014. shops, pp. 929–934, 2016. [2] M. R. Ahmadi, “An intrusion prediction technique [15] C. Zhu and R. Rao, “The improved bp algorithm based on co-evolutionary immune system for network based on mapreduce and genetic algorithm,” in In- security (CoCo-IDP),” International Journal of Net- ternational Conference on Computer Science & Ser- work Security, vol. 9, no. 3, pp. 290–300, 2009. vice System, pp. 1567–1570, 2012. [3] T. Bhaskar, K. B. Narasimha, and S. D. Moitra, “A hybrid model for network security systems: Integrat- ing intrusion detection system with survivability,” Biography International Journal of Network Security, vol. 7, no. 2, pp. 249–260, 2008. Bowen Zhu Graduate student. His main research direc- [4] S. Qi, G. Jian, X. D. Zang, “Survey of network tion includes network security and intelligence algorithm. security situation awareness,” Journal of Software, vol. 11, no. 23, pp. 1–17, 2016. Yonghong Chen Professor. Mainly engaged in com- [5] S. M. Hashemi and J. He, “An evolutionary multi- puter network and information security research, includ- objective approach for modelling network security,” ing Internet of things and security, cloud computing and International Journal of Network Security, vol. 19, security, intrusion detection, digital watermarking, big no. 4, pp. 528–536, 2017. data security. [6] S. Islam, H. Ali, A. Habib, N. Nobi, M. Alam, and D. Yiqiao Cai Ph. D. Mainly engaged in intelligent algo- Hossain, “Threat minimization by design and deploy- rithms and their applications, data mining and other as- ment of secured networking model,” International pects of research. Journal of Electronics and Information Engineering, vol. 8, no. 2, pp. 135–144, 2018. [7] R. Katipally, L. Yang, and A. Liu, “Attacker behav- ior analysis in multi-stage attack detection system,” in The Workshop on Cyber Security & Information Intelligence Research, pp. 1–1, 2011. International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 122

NPKG: Novel Pairwise Key Generation for Resisting Key-based Threats in Wireless Sensor Network

M. Vaneeta1 and S. Swapna Kumar2 (Corresponding author: M. Vaneeta)

Department of Computer Science, Engineering, K. S. Institute of Technology1 14, Raghuvanahalli, Kanakapura Main Road, Bengaluru, India Department of Electronics, Communication Engineering, Vidya Academy of Science 2 Thalakkottukara, Thrissur, Kerla, India (Email: [email protected]) (Received July 5, 2017; revised and accepted Jan. 12, 2018)

Abstract ing energy problems, routing problem, traffic manage- ment problem, security problem etc [16, 26, 27] and there Securing the communication system in Wireless Sensor are more than thousands of research papers that have dis- Network (WSN) is still an open-end problem in spite of cussed the solution to such problems. The present paper series of dedicated research work for more than a decade. is focused on discussing security problems in WSN, which This paper presents a Novel Pairwise Key Generation is an unsolved problem till date. Although there has been (NPKG) technique intended for resisting replication at- series of potential research on strengthening the security tacks as well as other forms of attacks that are related features of WSN [31], still none of the security protocols to secret keys in WSN. The proposed system also harness are found to be resistive to potential key-based threats in the potential role of a base station and trusted author- WSN. ity which otherwise represents a mock module in existing studies. Designed using an analytical method, the pro- Basically, the source reason for all security problems in posed study particularly emphasize on achieving a bal- WSN is the miniature form of a sensor node from hard- ance between minimal resource utilization and ultimate ware structure viewpoint. Basically, such sensor nodes security feature of both forward and backward secrecy for are so small that they cannot be embedded with lots of further strengthening privacy, confidentiality, and non- complex cryptographic algorithms that run on the wired repudiation in WSN. The algorithm is exclusively de- network. This is because execution of such complex cryp- signed to handle the possible security issues in a dynamic tographic algorithm calls for heavy usage of resources that network of WSN for its upcoming applications. The study a sensor node cannot afford. It is also known that a sensor outcome shows better algorithm performance in contrast node operates on a battery, while every routing operation to the existing system. (where a sensor node is forwarding data packet or just in a listening mode) is associated with significant drainage Keywords: Key Generation; Pairwise Key Predistribu- of energy. Hence, usage of complex cryptographic-based tion; Security; Wireless Sensor Network operation is kind of forbidden in WSN [20, 21]. Majority of the conventional applications of WSN con- 1 Introduction siders that all the nodes are static. On the contrary, the sensory application in IoT is highly mobile and uses dy- The study of Wireless Sensor Network (WSN) has been namic topology. Although IoT based applications claim consistently a major point of focus among the research to support better communication performance, there is community of wireless network. The usage of WSN ap- no scheme to claim for ultimate secure communication plications has undergone revolutionary changes at present when sensors are integrated with cloud applications that than what it was five years back [17, 19]. At present, are already exposed to trillions of malicious programs. WSN is sought as one of the contributory technology in An existing security-based technique that often uses sym- Internet-of-Things (IoT), which is more about machine- metric key-based cryptographic approach [24] are found to-machine communication [10, 23]. The conventional most suitable to work on the low-resource node but suf- research-based study of WSN was in the direction of solv- fers from extreme overheads and higher dependencies to- International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 123 wards memory use. At the same time, the rate of scala- similar trend of work is also carried out by Zhou et al. [34]. bility degrades along with declination of secure communi- Gandino et al. [9] have considered static WSN and pre- cation properties. Hence, the existing techniques of using sented a unique key management technique for further symmetric-based approaches are definitely not appropri- enhancing the randomness in the pre-distribution process. ate to offer full-fledged secure communication in WSN. Chen et al. [28] have considered multiple encryption Mohammed Hassouna et al. [13] introduced an integrated keys to evolve up with the hierarchical management of hierarchical certificateless scheme with a Level 3 trust au- secret keys in heterogeneous WSN. thority merging the traditional PKI hierarchy and the Hu and Gharavi [14] have presented a multi-way hand- certificateless technology in one scheme. The new scheme shaking mechanism using Merkle-hash tree for enhancing employs the X509 certificate format and is free of the scal- the key distribution scheme. Choi et al. [3] have addressed ability and certificate management problems of the PKI. the randomness in key distribution scheme by incorpo- However, they are actually proven to provide symp- rating eigenvalue incorporated on the keypools to under- tomatic effectiveness towards only a few types of attacks stand any form of malicious tampering of the secret keys and they are never resistive against key-based attacks in in WSN. Bag and Roy [1] have achieved consistency in the WSN. Therefore, we present a novel technique of pair- key establishment process for securing the group-based wise key establishment especially focusing on resisting communication over grid interface of WSN. Bechkit et key-based attacks in WSN. We also find that there is a al. [2] have presented a unital distribution process of se- need for a multitier architecture design embedded within cret keys that minimizes the feasibility of common key a node to withstand multiple forms of attacks. This is to get compromised. Khan et al. [18] have presented a only possible when the randomness of the node is further key distribution of symmetric form especially emphasizing controlled to support a good balance between security on achieving memory minimization during predistribu- features and communication performance in WSN. The tion process. Eslami et al. [7] proposed an identity-based proposed system offers a novel solution where multiple group key exchange protocol which addresses these secu- layers of security are incorporated using very lightweight rity concerns. We prove that our scheme achieves seman- cryptography that ensures that neither the compromised tic security in the presence of the adversarial model. Ya- node nor the attacker node will pass the authentication gan [29] have investigated the Eschenauer-Gligor key and system incorporated by proposed pairwise key predistri- discusses its effectiveness towards achieving better con- bution process. nectivity during key predistribution in WSN. Doraipan- Section 1.1 discusses the existing literature where dif- dian et al. [6] proposed KMS using LLT matrix for both ferent techniques are discussed for pairwise key pre- Node-to-Node communication and Group communication distribution in WSN followed by a discussion of research emphasizing Local-connectivity, efficient node revocation problems in Section 1.2 and proposed solution in 1.3. Sec- method, perfect resilience, three-level authentication, re- tion 2 discusses algorithm implementation followed by a duced the storage. discussion of result analysis in Section 3. Finally, the con- Therefore, it can be seen that there have been vari- clusive remarks are provided in Section 4. ous schemes towards improving the security performance by further strengthening the pairwise key predistribution 1.1 Background scheme. All the existing studies have focused on a dif- ferent form of sub-problems under key predistribution This section discusses the existing work being carried out scheme with a common goal of secure communication in towards pairwise key distribution in WSN. The recent WSN. Although there are security advantages claimed in work carried out by Gandino et al. [8] has introduced all the above-mentioned schemes, there are also signifi- a composite protocol using an arbitrary distribution of cant pitfalls in existing scheme. The next section outlines the keys also focusing on memory minimization. Yuan et some of the significant limitation that the current paper al. [32] have presented a technique that optimizes the chooses to discuss. predistribution of keys considering the case study of het- erogeneous WSN and super network theory. Yagan and Makowski [30] have investigated the impact of arbitrari- 1.2 Research Problem ness towards the key pair distribution. Usage of graph- The significant research problems identified are as follows: based techniques can be found in work of Ding et al. [5] towards designing blocks using predefined knowledge of Computational complexity: It is seen that existing blocks. Halford et al. [11] emphasized on the usage of system does not emphasize on minimizing computa- public keys towards strengthening the secure communica- tional complexity while performing pairwise key pre- tion using group keys during multicast operation. A simi- distribution process. lar trend of using group keys was also carried out by Harn and Hsu [12] using multivariate polynomial approach. Dynamic Topology: Dynamic topology is less often Zheng et al. [33] have constructed an algorithm using considered in existing techniques and thus it does seeds and path key for enhancing the legitimate arbitrary not support mobility factor during secure key man- secure key during the distribution method in WSN. The agement. International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 124

Attacks: Study towards node replication, as well as a so- the generated pairwise as well as cluster keys in such a lution towards key-based attacks, are less and more- way that neither the adversary nor the compromised node over existing system does not offer a full round of would be able to perform decryption of these keys. The security on its encryption steps. presented technique also focuses on utilizing trusted au- thority (TA) and base station for assisting in validating Clustering: The impacts of clustering towards the secret the updated key as well as secure management of revoked key generation process during predistribution of keys key list in order to ensure privacy and non-repudiation are not studied well. towards secure communication system in WSN. The next Therefore, the problem statement of the proposed section highlights the algorithm implemented for this pur- study can be stated as to design and develop a pair- pose. wise key distribution system that has supportability of dynamic topology, highly resistive towards lethal key- based threats, and does not adversely affect energy 2 Algorithm Implementation consumption during the security operation. The proposed system offers a novel mechanism for key 1.3 Proposed Solution management. It is responsible for securing the commu- nication channels in WSN using multiple forms of key The prime purpose of the proposed system is to introduce attributes. The proposed system uses a novel framework of security towards key management in WSN by emphasizing on evolving up with pairwise 1) Key of the individual sensor (kind); key predistribution using analytical research methodol- 2) Key of public and private encryption (kpriv, kpub); ogy. The core goal of this technique is to offer 1) Significant resistance against replication attack and 3) Key for pairwise distribution (kpair); other key-based attacks; 4) Key during clustering (kclust). 2) Offers more immunity towards nodes getting compro- The Notations used in algorithm are as follows in Table 1. mised; 3) Enhanced secrecy, etc. the schematic diagram of the Table 1: Notations proposed methodology is as shown in Figure 1. Notation Meaning N1, N2 # of Member and CH nodes a Simulation Area ψ Arbitrary Orientation α Security Attribute σ1, σ2, σ3, σ4, β System Parameters bound Boundary Area τ0, τ1, τ2, τ3 Hash Functions arb(1) Generate one Arbitrary Number. arb(N1) Generate N Arbitrary Numbers. γ1,γ2 Partial public/private keys at BS λ1, λ2, δ,µ1, µ2, µ3 Security Parameters. SI Security Index. Thres Threshold value

Figure 1: The proposed scheme The proposed algorithm generates key of public and private encryption (kpriv, kpub) and key for pairwise dis- The adopted methodology uses 4 different types of keys tribution (kpair), of the system in Algorithm 1. to perform key management in WSN. There are 4 discrete In the above algorithm (Line-2) initializes N1, N2, a, modules firstly responsible for configuring the system fol- ψ, α, σ1, σ2, σ3, σ4. In (Line-3) random x and y coordi- lowed by generation of a pairwise key, the formation of nates are generated using random function arb (N1) and clusters, and updating operation. The proposed system member nodes are deployed under boundary area bound. also formulates the scenario of mobility where a node may Similarly, Cluster heads are deployed in mesh grid topol- possibly join a new cluster and leave an old cluster in or- ogy. In (Line-4) ψ (arbitrary orientation angle) is calcu- der to assess the impact on both forward and backward lated to apply random mobility to all nodes. The com- secrecy. Basically, the proposed system focuses on gener- plete execution of the algorithm is carried out in following ating pairwise keys followed by multiple steps of securing subsections. International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 125

Algorithm 1 Algorithm for novel pairwise key generation of γ2 and nodes private key. The full public key is the (NPKG) transpose of nodes public key and γ1. In case of attacker 1: Begin node, the identifier validation fails at initial step only and 2: init N1, N2, a,α,σ1,σ2,σ3,σ4 there will be no generation of any form of full private 3: [x y] ← bound+(a-2? bound)? arb(N1) or public key. The proposed algorithm uses any form of 4: [x y] ← N2 in meshgrid cryptographic function to generate a key of the individual 5: ψ → 2π.arb(N1) sensor. Immediately, after all the 4 types of keys are gen- 6: for i = 1 : N do erated, a confidential list of all the public keys and node 7: [τ0] → arb(1)?σ12,[τ1] → σ13?arb(1)?σ3 identifiers are maintained along with a separate matrix for 8: [τ2 τ3] → σ1?arb(1)?[σ1?arb(1)]? [σ1?arb(1)]? σ1 revoked keys. Hence, the algorithm fails the attackers in 9: β = [σ1, σ2/σ1, σ3, σ4, σ5= θ?σ4, τ0, τ1, τ2, τ3] the first step of key management itself without affecting 10: γ1 → [1+arb(N)]. σ4 the existing communication or security-based operation. 11: γ2 → [1+arb(N)]+ mod([1+arb(N1)? τ0 It should be noted that trusted authority plays a crucial (Sensor Node ID+ γ1+([1+arb(N1)]. role in this process. σ4),prime-number)]) 12: kpriv = [(γ2)’, [1+arb(N1)]’] & 2.2 Generation of Pair Wise Keys kpub = [([1+arb(N1)].σ4)’, γ1’] 13: for j = 1 : N1 do This part of the algorithm is responsible for computing 14: Compute λ1, λ2, δ and generating a pairwise key. The first step of this pro- 15: Compute µ1, µ2, µ3 cess is to select the source node and compute its secure 16: if (µ3?σ4 == Thres) then index SI as the product of its identifier and σ4. Secondly, 17: λ2 = σ1.c calculate distance among all nodes and find out nodes 18: end if within the range. It then performs the computation of 19: end for other two security parameters λ1 and λ1 as follows: 20: end for 21: generate kpair ← λ2 λ1 = arb(1) · τ0.nodes in range(d, R).σ4 · σ5 + mod 22: End (arb(1) ? nodes in range(d, R), prime-number) λ2 = τ1.arb(1).λ1.arb(1).σ4.nodes in range(d, R)

2.1 Configuring System for Key- The above-mentioned expression leads to the genera- Management tion of λ1 and λ2 respectively (Line-13) for all the member nodes (Line-12). The next step of the generation of the In the first step, it is assumed that the base station con- pairwise key is to compute three more security parame- siders a prime number of α-bit as security attribute, tuple ters i.e.µ1, µ2, µ3 (Line-14). δ and arb(1) are the ran- (σ1, σ2/ σ1, σ3, σ4) of natural numbers, and selects a root dom numbers. Following empirical mechanism is opted private key θ and computes the public key of the system for computing these parameters: as σ5, which is a product ofθ and σ4. τ0, τ1, τ2, τ3 are cryptographic hash functions defined in (Line-6 and Line- µ1 = τ2 · SI · δ · λ1 · a · arb(1) · nodes, within, 7). A typical empirical mechanism is used for computing the four different hash functions. Finally, in (Line-8) a range (d, R) system parameter β is defined as a set of (σ1, σ2/ σ1, σ3, µ2 = τ3 · SI · δ · λ1 · arb(1) · nodes within range (d, R) σ4, σ5= θ.σ4, τ0, τ1, τ2, τ3). µ3 = arb(1).arb(1) · µ1 · arb(1) · µ2. The next step is the enrollment process of the legiti- mate sensors with the base station. For this purpose, the Assume that source node sends a packet as combina- base station is assumed to recognize the legitimacy of a tion of Secure Index and µ3. The receiver node decap- sensor node using a specific identifier for both N1 and N2. sulates the packet by performing product of an arbitrary The algorithm allows all the sensors (N=N1+N2) to com- number and secure index SI and recomputes µ1. In (Line- pute a private key ? as a random number between 1-1000 15) the system performs the comparison of the product using arbitrary function and then compute the product of µ3 and σ4 with dynamic threshold value Thres. The of θ and σ4 as a public key of that node. At the same computation of Thres is carried out as follows: time, the trusted authority is assumed to receive a request for generating and the computation of the partial private T hres = arb(1) + τ0 · a · arb(1) · arb(1) · σ5 and public key for all nodes is carried out by γ1 and γ2 +τ1 · arb(1) · τ2 · arb(1). as shown in Line-9 and Line-10 respectively. All the member nodes perform validation of their pri- The third layer of security is considered by assuming vate keys by assessing the condition of γ2. This step is the state of a compromised node by re-computing λ2 and followed by further generation of full secret keys by all then upgrading the key generation process. In this, the nodes in (Line-11). The full private key is the transpose updated value of the λ2 will be as σ1.c, where c is as International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 126 follows. node. However, energy factor is being evaluated with re- spect to two different forms of the time instances as shown c = arb(1) · σ5 · λ1 · arb(1) · arb(1) · σ5 · arb(1) · in Figure 2 and Figure 3. The study outcome is also nodesinrange(d, R). compared with the most frequently adopted techniques of pairwise key distribution using polynomial-based ap- The above step offers extra security for compromised proach [15], combinatorial-based approach [25], Grid- nodes (Line-16) as if the node is compromised then it will based approach [22], and Multivariate-based approach [4]. be able to find the value of c as that will further result Impact of updating cluster key on Energy in failure. Hence, the algorithm could offer enough resis- Consumption: The first performance parame- tance to both adversaries as well as compromised nodes. ter evaluated is the impact of updating cluster key Therefore, Line-20 results in the generation of the pair- on energy consumption. wise during each round of authentication in WSN.

2.3 Cluster Key Generation The final step is the generation of cluster key. The cluster key is generated using any form of cryptographic hash function on the root private key i.e. θ and cumulative hash value from concatenation.

2.4 Updating Operation Uniqueness in the implementation of the above algorithm is that the cluster updating operation is only carried out by cluster head nodes, hence if any of the member nodes try to alter or change the cluster key than that member node will be indexed directly as the adversary. The cluster Figure 2: Impact of updating cluster key on energy con- head even considers the node mobility factor and notifies sumption the base station about any form of alteration. There are multiple reasons for a sensor to either join a new cluster or leave from an old cluster. The proposed system offers The proposed system maintains this time instance in maximum time-based synchronicity so that all the cluster order to dynamically configure the cluster with the heads are always connected to each other, which is quite mobility of the nodes. This will mean that if the value essential during validation steps. The key revocation list of frequency of updating cluster key is equivalent to is constructed by the cluster head and maintained by a zero than updating process of cluster key is carried trusted authority, hence there is no scope that it could out only on demand(i.e. when node moves away or be compromised by any means. Once the revocation list moves in the cluster) or else the cluster head waits is constructed than only the base station has the privi- till the specified time instance in order to update. lege to update the security attributes and not the clus- The proposed system uses about 1.2 units of energy ter heads. In this way, the proposed system maintains to update the key up to 10 sec and then gradually de- a good balance between forward and backward secrecy creases. The outcome shows that proposed system of- while performing any authentication of the nodes during fers significantly lower scale of energy consumption as the communication process of data aggregation in WSN. compared to existing system. Polynomial-based ap- The next section highlights the outcome obtained after proach is nearly similar form as that of proposed sys- implementing the above mentioned pairwise key genera- tem as it works on finite field cryptosystem normally. tion algorithm and discusses its effectiveness. However, it includes maximum processing towards computing the common key and consumes about 1.9 3 Result Analysis units of energy up to 10 sec and then decreases. Sim- ilarly, combinatorial-based key pair distribution may The study outcome of the proposed system is imple- pose a potential mechanism toward privacy preser- mented in Matlab with a large number of 100-500 sensor vation but it includes increasing number of variables nodes in presence of multiple cluster heads. The simula- that has higher dependencies on heuristic-based data. tion is repeated for 50 times, and results report the av- This leads the algorithm to consume more amount of erage values. The Proposed system is evaluated in terms energy only during the key set up process. It con- of memory usage, time, security evaluation and computa- sumes about 3.1 units of energy up to 5 sec and then tional complexity. As the proposed study has introduced decreases. a novel cryptosystem for incorporating security, so we em- Existing techniques towards grid-based key predistri- phasize on assessing the energy performance of a sensor bution calls for static positioning of the nodes. This International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 127

technique has two pitfalls i.e. time in the range of 0 to 600 second. Although the combinatorial-based approach is also evident with 1) It does not address dynamism; the similar trend, owing to increasing the number 2) Similar effort for all member nodes leads to un- of processing in the initial level of key distribution, it necessary power consumption. Moreover, re- suffers from increased energy consumption of about dundant data could not be controlled as there 153 units and then very gradually decreases up to 130 is very poor communication among the cluster units. Both grid-based, as well as multivariate-based, heads and hence there is much power drainage are found to have a steep trend of energy but such consuming 4.9 units of energy up to 5 sec and trend is highly harmful to the nodes running the dy- then steeply decreases to 2 units at 10 sec and namic application in WSN. Grid approach consumes the gradually decreases. Similarly, if the num- 230 units initially and steeps down to 150 after 300 ber of clustering key updating process is in- seconds and then gradually decreases. Multivariate creased than multivariate schemes involves com- consumes 350 initially and steeply reduces to 170 af- plete processing using static threshold factor ter 100 seconds and then decreases further. From the that causes excessive drainage of approximately energy viewpoint, it is essential that all the nodes 8.5 units of energy in the first few rounds if mo- should have a nearly equal rate of energy dissipation bility is considered. The proposed system over- for any form of energy-efficient algorithm to work if comes all the above mentioned limitations of the wait time is increased. Moreover, with an in- existing approaches by ensuring that algorithm crease of wait time, the cryptographic process will process all the dynamic clustering and routing further be delayed to get executed, which may be information without overburdening the memory another cause of the further attack. We also find of any sensor node. This is one of the prime that increase in node mobility also increases the en- factors that illustrates that proposed system is ergy consumption in the existing system for both the capable of supporting increasing number of up- performance factor of time. dates without any potential adverse effect on the communication process. Therefore, cumulatively, the study outcome finds that when the frequency of updating cluster key in- Impact of Wait Time on Energy Consumption: creases than proposed pairwise key distribution sys- The next performance parameter is wait time the tem witnesses minimized the rate of energy con- time that allows the sensor to wait until root sumption. The proposed system takes approximately pairwise key is disposed of when it departs from the 1.48869 seconds to perform the entire process of com- member nodes. Therefore, when the wait time is putation because all the existing system consumes zero second revocation of the root pairwise key takes 7.47719 seconds in average. place as the node moves away from the existing cluster. Memory Usage: From memory viewpoint, the pro- posed system does not dispose extra memory. Mem- ory is occupied by the hash functions, private, public and pairwise keys, ?. There is very less number of static variables and more number of dynamic vari- ables. The proposed system optimizes its memory to a higher level under different circumstances of com- munication. These lets the algorithm work and re- spond faster in generating the pairwise key in con- trast to the existing system.

Security Evaluation: A closer look at all the above mathematical expression will show that there are de- pendencies among multiple parameters. As this in- formation will be never with any compromised or ad- versary, so even if adversary crosses the first process of system configuration, they will result in the failed Figure 3: Impact of wait time on energy consumption computation of threshold, which will be a direct in- dication of the node being adversary. Figure 3 shows that with the increase of waiting time Thus, the proposed algorithm offers comprehensive the energy consumption is also affected. A closer level of security in generating pairwise keys in WSN look shows that the proposed system and polynomial- that can assist in performing validation of the mem- based approaches show a similar trend of energy con- ber nodes as well as cluster heads during every round sumption, where both the system successfully main- of data aggregation cycle. The algorithm also trans- tains the similar scale of energy dissipation for wait mits significant amount of computed security results International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 128

to the base station to filter the list of genuine and scheme for wireless sensor networks,” IEEE Trans- illegitimate nodes existing in the network. However, actions on Wireless Communications, pp. 948–959, the base station always does dual check on the mes- 2013. sages that are aggregated from the other nodes (clus- [3] S. J. Choi, K. T. Kim and H. Y. Youn, “An energy- ter head) by comparing the list that is maintained efficient key predistribution scheme for secure wire- within itself with the one that is maintained by the less sensor networks using eigenvector,” Interna- trusted authority. As it is assumed that a trusted tional Journal of Distributed Sensor Networks, 2013. authority can never be compromised therefore there DOI 10.1155/2013/216754. is no scope for any form of the error. Another inter- [4] F. Delgosha and F. Fekri, “A multivariate key- esting part of this algorithm implementation is that establishment scheme for wireless sensor networks,” the updating pairwise key is a continuous process; IEEE Transactions on Wireless Communications, however, the root of the private key is completely pp. 1814–1824, 2009. independent of any form of key updates. [5] J. Ding, A. Bouabdallah, and V. Tarokh, “Key pre- distributions from graph-based block designs,” IEEE Usage of Cryptographic Primitive: The usage of Sensors Journal, pp. 1842–1850, 2016. cryptographic primitive is very less and is only lim- [6] M. Doraipandian and P. Neelamegam, “An efficient ited to applying any standard encryption for finally key management scheme in multi-tier and multi- generating the cluster keys. Rest all are simple con- cluster wireless sensor networks,” International Jour- catenation and conditional operation that makes the nal of Network Security, pp. 651–660, 2015. proposed algorithm quite lightweight to balance the [7] Z. Eslami, M. Noroozi, , and S. K. Rad, “Provably security demands and enhanced network lifetime in secure group key exchange protocol in the presence of order to meet the claimed security goals. Therefore, dishonest insiders,” International Journal of Network looking at the trend of outcome, the proposed sys- Security, pp. 33–42, 2016. tem is better applicable in sensory application that [8] F. Gandino, R. Ferrero, and M. Rebaudengo, “A key demands consistent monitoring process, e.g. emer- distribution scheme for mobile wireless sensor net- gency application, tactical applications, combat field works: q - s -composite,” IEEE Transactions on In- monitoring healthcare, etc. formation Forensics and Security, pp. 34–47, 2017. [9] F. Gandino, B. Montrucchio, and M. Rebaudengo, 4 Conclusion “Key management for static wireless sensor networks with node adding,” IEEE Transactions on Industrial Security is yet a challenging problem in WSN which ren- Informatics, pp. 1133–1143, 2014. ders prior security algorithm non-applicable for the up- [10] H. Geng, Internet of Things and Data Analytics coming application of IoT where sensory applications are Handbook. Florida: John Wiley & Sons, 2017. used along with cloud computing. The present paper in- [11] T. R. Halford, T. A. Courtade, K. M. Chugg, Li, and troduced a novel key management approach that is con- G. Thatte, “Energy-efficient group key agreement for structed keeping in mind the necessity of dynamic net- wireless networks,” IEEE Transactions on Wireless works in upcoming application of WSN. The proposed Communications, pp. 5552–5564, 2015. algorithm is constructed for offering sustainable commu- [12] L. Harn and C. F. Hsu, “Predistribution scheme for nication system with equal stress on highly resilient key establishing group keys in wireless sensor networks,” generation process along with robust mechanism of the IEEE Sensors Journal, pp. 5103–5108, 2015. key updating process. The dynamic topology is con- [13] M. Hassouna, B. Barry, and E. Bashier, “A new level structed considering that a node may join or leave the 3 trust hierarchal certificateless public key cryptog- cluster at any point in time so that both forward secrecy raphy scheme in the random oracle model,” Inter- as well as backward secrecy is maintained. The study out- national Journal of Network Security, pp. 551–558, come of the proposed system is compared with existing 2017. approaches of key predistribution to find that proposed [14] B. Hu and H. Gharavi, “Smart grid mesh network system offers better energy conservation. security using dynamic key distribution with merkle tree 4-way handshaking,” IEEE Transactions on Smart Grid, pp. 550–558, 2014. References [15] H. Ito, A. Miyaji, and K. Omote, “Rpok: A strongly resilient polynomial-based random key pre- [1] S. Bag and B. Roy, “A new key predistribution distribution scheme for multiphase wireless sensor scheme for general and grid-group deployment of networks,” in IEEE Global Telecommunications Con- wireless sensor networks,” EURASIP Journal on ference (GLOBECOM’10), pp. 1–5, 2010. Wireless Communications and Networking, pp. 145, [16] S. R. Jondhale, R. S. Deshpande, S. M. Walke, 2013. and A. S. Jondhale, “Issues and challenges in rssi [2] W. Bechkit, Y. Challal, A. Bouabdallah and based target localization and tracking in wireless sen- V. Tarokh, “A highly scalable key pre-distribution sor networks,” in International Conference on Au- International Journal of Network Security, Vol.21, No.1, PP.122-129, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).15) 129

tomatic Control and Dynamic Optimization Tech- [30] O. Yagan and A. M. Makowski, “Wireless sensor net- niques (ICACDOT’16), pp. 594–598, Sep. 2016. works under the random pairwise key predistribu- [17] Kamila and N. Kumar, Research on Wireless Sensor tion scheme: Can resiliency be achieved with small Network Trends and Technologies and Applications, key rings?,” IEEE/ACM Transactions on Network- Florida: IGI Global, 2016. ing, pp. 3383–3396, 2016. [18] E. Khan, E. Gabidulin, B. Honary, and H. Ahmed, [31] M. B. Yassen, S. Aljawaerneh, and R. Abdul- “Matrix-based memory efficient symmetric key gen- raziq, “Secure low energy adaptive clustering hier- eration and pre-distribution scheme for wireless archal based on internet of things for wireless sensor sensor networks,” IET Wireless Sensor Systems, network (WSN): Survey,” in International Confer- pp. 108–114, 2012. ence on Engineering & MIS (ICEMIS’16), pp. 1–9, [19] S. Khan, Al-Sakib K. Pathan, and N. A. Alrajeh, Agadir, 2016. Wireless Sensor Networks: Current Status and Fu- [32] Q. Yuan, C. Ma, X. Zhong, G. Du, and J. Yao, “Op- ture Trends, Florida: CRC Press, 2016. timization of key predistribution protocol based on supernetworks theory in heterogeneous WSN,” Ts- [20] C. T. Li, M. S. Hwang, “A lightweight anonymous inghua Science and Technology, pp. 333–343, 2016. routing protocol without public key en/decryptions [33] S. Zheng, Y. Tian, L. Jin, and Y. Yang, “A portable for wireless ad hoc networks”,Information Sciences, random key predistribution scheme for distributed vol. 181, no. 23, pp. 5333–5347, Dec. 2011. sensor network,” Journal of Sensors, pp. 14, 2014. [21] C. T. Li, M. S. Hwang and Y. P. Chu, “An effi- [34] B. Zhou, J. Wang, S. Li, and W. Wang, “A new cient sensor-to-sensor authenticated path-key estab- key predistribution scheme for multiphase sensor net- lishment scheme for secure communications in wire- works using a new deployment model,” Journal of less sensor networks”, International Journal of Inno- Sensors, pp. 10, 2014. vative Computing, Information and Control, vol. 5, no. 8, pp. 2107-2124, Aug. 2009. [22] N. X. Quy, V. Kumar, Y. Park, E. Choi, and D. Min, Biography “A high connectivity pre-distribution key manage- ment scheme in grid-based wireless sensor networks,” M. Vaneeta is Associate Professor in Department of in International Conference on Convergence and Hy- Computer Science and Engineering, K. S Institute of brid Information Technology, pp. 35–42, 2008. Technology, Bengaluru, Karnataka, India. She received [23] M. H. Rehmani and Al-Sakib K. Pathan, Emerg- B.E degree in Department of Computer Science and En- ing Communication Technologies Based on Wireless gineering from Dr. BAMU University, Maharashtra and Sensor Networks: Current Research and Future Ap- M.E degree in Department of Computer Science and En- plications, Florida: CRC Press, 2016. gineering, Anna University. She is currently pursuing her [24] S. Roy, J. Karjee, and U.S. rawat, “Symmetric key Ph.D. degree in the Department of Computer Science and encryption technique: A cellular automata based Engineering, Visvesvaraya Technological University, Bela- approach in wireless sensor networks,” Elsevier- gavi. Her research interests include wireless sensor net- Procedia Computer Science, pp. 408–414, 2016. works, secure communication networks and Image pro- [25] S. Ruj and B. Roy, “Key predistribution using com- cessing. binatorial designs for grid-group deployment scheme S. Swapna Kumar is Professor and Head of Department in wireless sensor networks,” ACM Transactions on of Electronics and Communication Engineering, in Vidya Sensor Networks (TOSN’09), 2009. Academy of Science & Technology, Thrissur, Kerala, In- [26] S. A. Salehi, M. A. Razzaque, P. Naraei, and A. Far- dia. Presently, he is a Supervisor for the Ph.D. scholars rokhtala, “Security in wireless sensor networks: Is- under Visvesvaraya Technological University (VTU) and sues and challenges,” in Proceeding of the IEEE In- also an external examiner for Thesis evaluation/ Public ternational Conference on Space Science and Com- Viva-voce of Ph.D. students. He has been in the teach- munication (IconSpace’13), pp. 176–180, July 2013. ing for profession courses under UG/PG level for nearly [27] S. Sharma, R. K. Bansal, and S. Bansal, “Issues decade, and has worked for various national and inter- and challenges in wireless sensor networks,” Interna- national industries.He is a reviewer of several National tional Conference on Machine Intelligence and Re- and International journals. Besides, he has also authored search Advancement, pp. 58–62, 2013. books on ”Guide to Wireless Sensor Networks and LAB [28] C. M. Chen, X. Zheng and T. Y. Wu, “A com- easy way of learning”. Dr. Swapna Kumar is a Fel- plete hierarchical key management scheme for het- low Member and Chartered Engineer IEI (INDIA). He erogeneous wireless sensor networks,” The Scientific has also a life membership of professional bodies, includ- World Journal, pp. 13, 2014. ing ISTE and IEEE. His area of interest include Net- [29] O. Yagan, “Performance of the eschenauergligor key working, Security system, Fuzzy Logic, Data Communi- distribution scheme under an on/off channel,” IEEE cation, Electronics, Communication Systems, Embedded Transactions on Information Theory, pp. 3821–3835, Systems, MATLAB modelling and simulation. 2012. International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 130

Cryptography Security Designs and Enhancements of DNP3-SA Protocol Based on Trusted Computing

Ye Lu1 and Tao Feng2 (Corresponding author: Ye Lu)

College of Electrical and Information Engineering, Lanzhou University of Technology1 Lanzhou 730050, China School of Computer and Communication, Lanzhou University of Technology2 (Email: [email protected]) (Received Sept. 1, 2017; revised and accepted Dec. 28, 2017)

Abstract verified by SPAN, there is still a replay attack, and the second scheme cannot meet the specification of the orig- Although there are several solutions utilized to prevent inal DNP3-SA protocol. Literature [10] proposed ECC- security threats in DNP3 networks, existing DNP3-SA based public key authentication scheme based on the third networks still have severe shortcomings. To solve this party trusted institutions to ensure the legitimacy of the security problem, the attack vector and security require- client, but cannot guarantee the authenticity of the server ments of DNP3-SA protocol are analyzed, then, a cryp- identity. It is necessary to use the trusted platform to en- tography security designs and enhancements of DNP3-SA sure the authenticity of both sides of the communication, protocol is proposed based on the Trusted Computing, against the attacker posing and tamper with DNP3 server which authenticate the identity and security status of the and client. Literature [4] proposed the introduction of client and server to prevent node sensitive information trusted anchor technology into ICS embedded devices to from being compromised. The new protocol overcomes prevent equipment from being impersonated, but lacks se- man-in-the-middle and replay attacks without increasing curity for servers and protocols. The Trusted Computing communication overhead. The protocol is verified by the Group (TCG) introduces the Trusted Computing Con- SPAN tool, and no intrusion path is found, which ensures cept [8] into ICS and proposes a remote secure commu- the integrity, authenticity, freshness and confidentiality of nication based on the trusted platform module (TPM) the nodes participating in the communication. built-in key [9]. Literature [1] proposed the use of trusted Keywords: DNP3-SA Protocol; Industrial Control Sys- platform to protect and evaluate the terminal equipment tem; SPAN; Trusted Computing data security and trusted state, but the above studies are not given industrial Ethernet protocol security rein- forcement of specific programs. There are no other public 1 Introduction research to introduce trusted components into the DNP3 protocol to ensure the safety of field devices. Although the industrial Ethernet protocol based on The main contributions of the paper are as follows: TCP/IP technology is widely used in SCADA system, Firstly, the four kinds of attack vectors under the dnp3 the original industrial Ethernet protocol is facing more protocol are given. Secondly, the DNP3 protocol is intro- and more threat of network attacks. The widespread use duced into the trusted platform for the first time, and the of the DNP3 protocol in the field of SCADA systems has authentication of the device identity is realized. Finally, proven unsafe [5–7]. Therefore, the DNP3 protocol must the key update and communication sub-protocol was re- be researched and improved from the perspective of the designed to resist replay attacks. communication side to ensure the communication security The rest of our paper is organized as follows. In Sec- of the ICS system. tion 2, The attack vector and security requirements of The latest security improvement version DNP3-SA [2] DNP3-SA protocol are analyzed. Subsequently, we pro- proposes a certification strategy to ensure the integrity pose our enhancements of DNP3-SA protocol based on of the message. However, literature 5 indicates that the the Trusted Computing in Section 3 and analyze the se- protocol still cannot resist replay attacks. Literature [3] curity with the span tool in Section 4. In Section 5, The proposes two improvement schemes, the first scheme is performance of our protocol is analyzed. At last, Section 6 International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 131 presents the overall conclusion. the authentication of both parties can prevent such attacks. 2 The Attack Vector and Security 4) Attack vector based on PLC program: As the PLC is usually used weak password protection Requirements mechanism, an attacker can crack the password and other ways to implant malicious program, in order to In this section, we takes the SCADA system as an example obtain sensitive information or cause failure. If the to study the security threats faced by the DNP3-SA com- attacker steals the preset key through the controlled munication protocol. SCADA system consists of monitor- PLC, the DNP3-SA security improvement protocol ing stations (MS), Human machine interface(HMI) and based on the authentication of both parties [2, 3, 5] other equipment such as PLC, IED. DNP3-SA protocol will not prevent such attacks. using C / S mode of communication, MS, HMI as DNP3 client communicate with DNP3 field server PLC through By the above attack vector and the literature [5– the configuration software (CS). PLC program collect the 7], DNP3-SA protocol mainly exists the following at- scene data back to the MS and HMI. The DNP3 protocol tack types: eavesdropping, tampering, posing, DOS, re- communication threat model is illustrated in Figure 1. play. Therefore, integrity, confidentiality, authenticity and freshness are the security requirements of trusted DNP3 protocol design.

3 The Proposed Scheme

In this section, we propose a cryptography security de- signs and enhancements of DNP3-SA protocol based on the Trusted Computing which can remedy a range of network attacks. It is composed four sub-protocols: Identity authentication sub-protocol; key agreement sub- Figure 1: DNP3 Communication threat model protocol; key update sub-protocol and communication sub-protocol. The authentication sub-protocol provides periodic verification and updating of the identity and se- MS as a client to communicate with multiple PLC curity status information for the MS and PLC by configur- servers. The gray part indicates that there is a threat ing the trusted platform and increasing the authentication to the current device. The Dolev-Yao adversary model server (AS). The key agreement sub-protocol completes shows that the attacker has enough ability to eavesdrop, the negotiation of the secret key after the authentication replay, tamper and fake any arbitrary network packets. succeeds to facilitate the symmetry encryption of the op- The following four types of attack vectors are available: eration data required for high security level communica- 1) Attack vector based on MS impersonator: tion. The key update sub-protocol periodically updates As the DNP3 protocol lacks the identity authentica- the key to ensure data security, and the AS solves the tion mechanism, the impersonator can forge DNP3 trustworthiness of the device state by periodically query- request message by eavesdropping the PLC commu- ing the PCR of the MS and PLC. The communication nication address and send the malicious control com- sub-protocol improves the NACR mode (non-critical re- mand to the PLC. Since the impersonator cannot ob- quest) and AGM mode (critical request) in the original tain the session key, the DNP3-SA security improve- DNP3-SA protocol and the scheme of literature [3] to pro- ment protocol [2,3,5] based on the authentication of tect against replay attacks. It should be noted that, for both parties can prevent such attacks. the first time, this paper introduces the trusted platform 2) Attack vectors based on CS vulnerabilities: into DNP3-SA protocol to complete the device authenti- An attacker can exploit a CS to obtain native sen- cation. sitive information and send a malicious command to Before the protocol is run, assume that the communi- the PLC. If the attacker steals the preset key through cation participant has the following knowledge: the controlled CS, the DNP3-SA security improve- 1) The communication request is initiated by the MS. ment protocol [2,3,5] based on the authentication of 2) The base layer of and protocol and AS are reliable. both parties will not be able to prevent such attacks. 3) MS, AS and PLC are based on TPM hardware to 3) Attack vector based on PLC impersonator: achieve a trusted function. All commands beginning As the DNP3 protocol lacks the identity authentica- with TPM are done in TPM hardware and software. tion mechanism, impersonators can obtain DNP3 re- sponse messages, causing malfunction. Since the im- 4) AS knows the expected trusted information of all personator cannot obtain the session key, the DNP3- terminal devices in the SCADA system, that is, a SA security improvement protocol [2, 3, 5] based on trusted list. International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 132

5) MS, PLC known AS’s identity authentication public key A AIK Pub and Bind-public key KA Pub.

3.1 Identity Authentication and Key Ne- gotiation Sub-Protocol Trusted Computing [9] Measure the hardware and soft- ware reliability of the device through the trusted met- ric root in the BIOS of TPM device. The measurement results are stored in the platform configuration register (PCR) inside the TPM in a non-tamperable manner for user authentication to ensure that the device hardware and software system behaves in line with expectations. When the terminal device is initialized, the authentica- tion key pair (AIK) is created by the TPM. The private key of the AIK is stored in the device TPM. Verifying the AIK private key signature can guarantee the authenticity of the device identity. Bind-Key is a pair of public and private key pairs that the TPM uses to decrypt small- scale data (such as a key). The encrypted data must be decrypted on a device with a Bind-private key. The function of the identity authentication sub- protocol is to authenticate each other and prevent the device from being hijacked before the MS and the PLC communicate with each other. Figure 2 is the identity au- thentication sub-protocol and key agreement sub-protocol message flow, M is the client (MS), O is the server (PLC). O AIK Pri, O AIK Pub, M AIK Pri, M AIK Pub are au- thentication key pair (AIK), KA Pr, KA Pub, KM Pri, KM Pub, KO Pri, KO Pub are Bind-key pairs. PcrO, and PcrM is the trust metric root. K H is used for HMAC calculations in communication sub-protocols to ensure the integrity of communication data; K E is used for symmet- ric encryption of critical data required for high-security communications. Random numbers Na, Nb, Nc, Nd, Ne, Nf, Ng ensure the freshness of the message. Steps 1 to 14 describe the M and O request AIK signa- tures of the device status information (PCR value) to the opposite party to complete the two-way authenticate pro- cess with the assistance of AS. Among them, the TPM E and TPM D commands encrypt and decrypt the PCR and protocol data respectively. Steps 15 to 20 describe the agreement process of the message authentication key K H and the message encryp- tion key K E after confirming the identity information between M and O with the assistance of A. AS through the periodic question of MS and PLC PCR, Figure 2: Authentication and key agreement by comparing the white list information to find whether there is unexpected changes in equipment status, so as to ensure that the SCADA system terminal equipment in the course of the operation has not been tampered with. Depending on whether the verification result is successful or failed, the AS will decide whether to update the ICS device status: 1) If the verification is successful, AS does not do anything; 2) If the authentication fails, or if the ad- ministrator updates the white list information on the AS, the update process is initiated by the AS. Upon receipt of an AS-initiated update notification, the MS or PLC sets International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 133 the symmetric keys K H and K E negotiated in the pre- agreement sub-protocol to be invalid and re-initiates the identity authentication sub-protocol, this process is not repeated by the length limit.

3.2 Key Update and Communication Sub-Protocol Figure 3 depicts our key update and communication sub- protocol. Steps 21 to 29 refers to the key update sub- protocol, Steps 30 to 41 describe the communication sub- protocol. Our Scheme encrypts the Ksn to ensure the confidentiality of the serial number, preventing replay at- tacks, use the random number Nx, Ny to ensure the fresh- ness of the message, and use the message authentication code MAC to verify the integrity of the message. Literature [3] indicates that there is a replay attack on the DNP3-SA protocol, and the attacker can replay the response message of the server (O) to cheat the client (M) to generate a valid MAC tag (old message), and then ex- ecute the command on the server. This attack is fatal to critical infrastructures and suggests two solutions to improve this flaw. Solution 1 calculate MAC on the chal- lenge message and solution 2 implement the Ksn as the sole component of the AGM operation. But, the two so- lutions are verified by the span tool, the result show that there are still replay attacks in both approaches. This is because the Ksn is plain text, the attacker is still able to guess the next Ksn, and then launch replay attacks. In addition, the server can not obtain the current Ksn serial number in solution 2, causing the protocol to fail.

4 Security Verification

Our scheme is described using the role-based formalized protocol language HLPSL, and the SPAN tool is used to verify the security of the protocol. The SPAN tool simulates the protocol functions and intruder behavior described in the HLPSL language, and gives the corre- sponding attack path if the protocol is insecure. Taking the identity authentication sub-protocol as an example, the HLPSL language is used to describe the three roles (MS, PLC and AS) processes and hybrid role participat- ing in the protocol. the role process defines a communica- tion process and an entity variable for the role receive and response message. The hybrid role process defines proto- col variables, attacker knowledge, and protocol validation targets. This article uses ”master” to represent MS, the Figure 3: Key update and communication entity M in Figure 4, use ”out” to represent PLC, the entity O in Figure 4, use ”server” to represent AS, the entity A in Figure 4. Limited to space, Figure 4 depicts the communication process for the master role. Figure 5 depicts the attacker’s knowledge and security objectives, including entities (m, o and a) and plaintext information in the protocol process. The plaintext in- formation refers to the cryptographic algorithm and the public key used. The security objective of the identity International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 134

Figure 6: SPAN verification results

are similar to the authentication sub-protocol. The SPAN verification result is also safe and will not be repeated. In summary, our scheme can meet the safety requirements of the protocol proposed in Section 2, which guarantee Figure 4: Communication process of entity M the identity and status of the communication entity, the integrity of the protocol data, the freshness of the random number, the confidentiality of the protocol data under the authentication sub-protocol and the key-agreement sub- high security level, and can withstand the replay attacks protocol is to ensure the confidentiality of the authentica- that still exist in literature [3]. tion key KH and the encryption key KE used in the com- munication sub-protocol, PCR (PcrO and PcrM), and all random numbers such as Na etc., with strong authentica- 5 Performance Analysis tion. In this section, we provide the overhead analysis of the fixed protocol to show that our approaches indeed main- tain communication, processing and storage overheads at the cost of a minor increased cost in calculate. Since the authentication and key agreement sub-protocol is initi- ated only when the device status information is changed (before the first communication, the authentication fails) and the message is processed using the dedicated TPM hardware and software, the part of the protocol perfor- mance costs have less impact on the time overhead of the communication. The Key update and communication sub-protocol is used frequently, which uses the encryp- tion primitives in the DNP3-SA specification without the TPM-related time overhead, but adds some communica- tion, computation and storage overhead. This section presents a comparison of communication, Calculate and storage overheads between the standard DNP3-SA, solutions of [3] and our scheme. It is to be Figure 5: Attacker knowledge and security goals noted that the comparison is based on the total counts of messages(n) within the DNP3-SA protocol but not in byte size. This is because most of the messages have sim- As shown in Figure 6, the SPAN authentication result ilar byte sizes. Here n is used to denote the approximate of the authentication and key agreement sub-protocol is number of commands to be exchanged between a mas- security (SAFE). the message sequence of the protocol ter station and an outstation per user and during a time given by SPAN analyzes the protocol security from the interval between two key updates. Sol1 and Sol2 denote perspective of the intruder, and fails to form an intrusion the proposed solution 1 and solution 2 in literature [3]. M path. This result indicates that the sub-protocol can se- represent the modification attack, R represent the replay curely authenticate the identity and status information of attack, S represent the spoofing attack and H refers to M and O, and can safely exchange the keys KH and KE. hijacking attack. The security target and authentication process of the To understand Table 1, one must take three things into key update sub-protocol and communication sub-protocol consideration for the communication and storage over- International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 135

Table 1: Performance analysis and comparison(AGM)

heads. First, there is a key update process that occurs Acknowledgments before the NACR or AGM operates. The key update pro- cess has 4 headcounts of messages per round and per user This work is supported by the National Natural Science (refer to Figure 3). Second, before AGM can successfully Foundation of China (No. 61462060, No.61762060), The operate, there must be at least a run of the NACR op- authors would like to thank the anonymous reviewers for eration, which implies the number of communicated mes- their helpful comments and suggestions. sages in NACR will also be considered in AGM. Third, we consider the performance overhead of critical information transmission mode (AGM). References In Table 1, Ours row, the total messages involved the operation is shown as (2(n + 4) ≈ O(n)). This value [1] R. Amin, S. H. Islam, A. Karati, et al., “Design of (2(n+4) ≈ O(n)) is derived because there are 4 messages an enhanced authentication protocol and its verifica- from the key update process, 4 messages from the NACR tion using AVISPA,” in IEEE International Confer- operation and two 2n messages from the AGM operation ence on Recent Advances in Information Technology, (i.e. NACR must run before AGM) for n commands. The 2016. calculate overhead in ours is n + 2, similar to [3] - Sol1, [2] R. Amoah, S. Camtepe, E. Foo, “Securing DNP3 meaning that 2 MAC computations in NACR operation broadcast communications in SCADA systems,” and one MAC computation in each AGM operation (n). IEEE Transactions on Industrial Informatics, vol. Asymptotically, this value corresponds to O(n). For stor- 12, no. 4, pp. 1474–1485, 2016. age overhead in ours, 5 values are expected to be stored [3] R. Amoah, S. Camtepe, E. Foo, “Formal modelling on both stations. This is because both store value like and analysis of DNP3 secure authentication,” Jour- the keys (KH and KE), 2 MACs, content of the challenge nal of Network and Computer Applications, vol. 59, message. pp. 345–360, 2016. In comparing our scheme to proposed solutions 1 and 2 [4] F. Brasser, B. E. Mahjoub, A. R. Sadeghi, et al., “Ty- ( [3] - Sol1 and [3] - Sol2), our new protocol overcomes the TAN: Tiny trust anchor for tiny devices,” in IEEE shortcomings of the two proposed solutions of [3], which Design Automation Conference, pp. 34, 2015. have man-in-the-middle attacks and replay attacks at a [5] J. A. Crain, S. Bratus, “Bolt-on security extensions minor increase in calculate overhead and storage over- for industrial control system protocols: A case study head, without increasing communication overhead. of DNP3 SAv5,” IEEE Security & Privacy, vol. 13, no. 3, pp. 74–79, 2015. [6] C. Cremers, M. Dehnel-Wild, K. Milner, “Secure au- 6 Conclusion thentication in the grid: A formal analysis of DNP3: SAv5,” in European Symposium on Research in Com- In this article, we proposed a cryptography security de- puter Security, pp. 389–407, 2017. signs and enhancements of DNP3-SA protocol based on [7] D. Lee, H. Kim, K. Kim, et al., “Simulated attack the Trusted Computing without increasing communica- on DNP3 protocol in SCADA system,” in The 31th tion overhead, which authenticate the identity and secu- Symposium on Cryptography and Information Secu- rity status of the DNP3-SA client and server to prevent rity, 2014. node sensitive information from being compromised. The [8] P. Maene, J. Gotzfried, R. D. Clercq, et al., protocol is verified by the SPAN tool, and no intrusion “Hardware-based trusted computing architectures path is found, which ensures the integrity, authenticity, for isolation and attestation,” IEEE Transactions on freshness and confidentiality of the nodes. Computers, PP(99): 1-1, 2017. International Journal of Network Security, Vol.21, No.1, PP.130-136, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).16) 136

[9] Trusted Computing Group, TCG Trusted Network Biography Communications: IF-MAP Metadata for ICS Secu- rity, Specification Version 1.0 Revision 46, 15 Sept. Lu Ye was born in 1986, CCF member. He is a doc- 2014. (https://trustedcomputinggroup.org/ toral student at LanZhou University of Technology, His wp-content/uploads/IFMAP\_Metadata\_For\ research interests include security of industrial control _ICS\_Security\_v1\_0r46.pdf) system. [10] B. Vaidya, D. Makrakis, H. T. Mouftah, “Authenti- FENG Tao was born in 1970, researcher/PhD supervi- cation and authorization mechanisms for substation sor, CCF senior member, IEEE and ACM member. He automation in smart grid network,” IEEE Network, graduated from Xidian University, and then worked at vol. 27, no. 1, pp. 5–11, 2013. school of computer and communication in Lanzhou Uni- versity of Technology. His research interests include Cryp- tography and information security. International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 137

Multimedia Social Network Authorization Scheme of Comparison-based Encryption

Cheng Li, Zhiyong Zhang, Guoqin Chang (Corresponding author: Zhiyong Zhang)

School of Information Engineering, Henan University of Science and Technology, Luoyang, Henan 471023, China (Email: [email protected]) (Received Nov. 9, 2017; revised and accepted Mar. 5, 2018)

Abstract to the cloud; then the user uses a flexible authorization method to share the encryption key, while users can also In many Ciphertext-Policy Attributed Based Encryption specify a fine-grained access control strategy to achieve (CP-ABE) schemes, the level of attributes is ignored; efficient and secure data authorization. Sahai and Waters while the comparison based attribute encryption scheme first proposed attribute based encryption (ABE) scheme is not flexible enough. In this paper, an encryption scheme in the [1], which can achieve fine-grained one to many au- based on comparative attributes is proposed. In this thorization. ABE encrypted data can not only ensure scheme, users can’t only make more granular and flexi- the security and integrity of user data, but also have ble access control policies based on the level of attributes, good flexibility. In 2006, Goyal proposed a Key-Policy but also support more diverse forms of access control pol- Attributed Based Encryption (KP-ABE) and Ciphertext- icy. At the same time, in order to solve the computational Policy Attributed Based Encryption (CP-ABE) in the [2], pressure of the user terminal, a third-party proxy is added and implemented the first KP-ABE algorithm. In 2007, to the solution to assist the user to decrypt the cipher- Bethencourt [3] and Cheung [4] implemented the CP- text. Through the comparative and experimental data ABE algorithm, respectively. After that, with the con- analysis, the scheme can be better applied to multimedia tinuous development of ABE technology, has been widely social networks. used in multimedia social networks [5–7], cloud comput- Keywords: Comparison-Based Attribute; CP-ABE; Mul- ing [8,9], cloud storage [10,11] and electronic health man- timedia Social Networks; Third-Party Decrypt agement [12,13] and many other areas. At the same time, users can use the ”Boolean expression” [14], ”and/or” ac- cess structure [6], (t, n) threshold [15,16] and linear secret 1 Introduction sharing scheme (LSSS) [17], constructing a relatively flex- ible access control policy to meet the user’s needs. With the development of multimedia social networks, However, the current attribute-based encryption au- more and more people are willing to publish their per- thorization scheme is often used to use specific attributes, sonal life and privacy to the multimedia social network. such as the access strategy ”President AND July 1”, But the security problems caused by privacy leaking and which states that ”only the president has access rights data authorization of social network users (hereinafter re- in July 1st”, in other words, Other people in this time ferred to as ”users”) are followed. The user uploads his or or ”President” in addition to this time cannot access the her private data to a social network service provider, such data, although this is a relatively extreme example, but as the health condition of the user, travel information, and it does show that most proposal is not flexible, because payment (consumption) information, via a social network ”President” can be divided into ”president” and ”vice- provider or a third party storage agent to save the user president”, and even more detailed division, the date is data. However, the social network provider and third- the same reason, for these can be refined attribute autho- party storage (or ”Cloud”) are often untrustworthy, and rization program research is relatively less. they are likely to spy on the user’s private data or to leak Therefore, the attributes can be divided into sub- privacy data due to problems such as failures and mali- attributes according to a certain order, making data au- cious user attacks, which leads to unnecessary problems thorization more in line with the actual needs. The or- to the user. der relationship between these sub-attributes can be com- In order to protect the user’s privacy, the user can en- pared. Only when the user attribute level satisfies the crypt the encrypted data and then upload the ciphertext access authorization policy can the data be decrypted. International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 138

1.1 Related Work 1.2 Contribution After this article carries on the analysis combined with the development of multimedia social networks and user After Sahai and Waters proposed ABE algorithm, ABE is needs, it found that users in the use of multimedia so- widely used in cloud storage, multimedia social networks, cial networks not only needs efficient sharing authoriza- health management and so on. It can be divided into tion mechanism, but also needs the protection of private CP-ABE and KP-ABE program. The KP-ABE cipher- data security. But the current scheme lacks some flexi- text is associated with the attribute set, and the user’s bility. Therefore, this paper proposes a multimedia social key is associated with the access structure. The cipher- network authorization scheme based on comparative at- text in CP-ABE scheme is associated with the access con- tributes, which has three contributions to the future re- trol policy, and the user is associated with the attribute search work: set. As the CP-ABE scheme is more close to the ac- tual life, it has been widely used in the fields of multi- 1) The proposed scheme supports monotonic access media, social networking and other related fields. How- structure and has some flexibility; ever, most researchers do not pay enough attention to the 2) In considering the order of attributes can not only weight of attributes, so that the scheme can’t adapt well be a simple comparison, it can also set the attribute to the scene of practical application. In [18], an algorithm authorization order interval; for transforming the threshold access strategy to LSSS is proposed. The scheme is improved on the basis of [19], 3) The ABE scheme is improved in this paper: the in- which makes it more efficient and reduces storage space troduction of third party auxiliary user decryption and computation cost effectively. reduces the user operation pressure. At the same time, with half hidden access Control strategy, it be- In [20], an encryption scheme based on attribute com- come more suitable for multimedia social networks. parison is proposed, which introduces attribute compar- ison into attribute-based encryption, realizes the con- The schematic diagram of the scheme is shown in Figure 1. straint on the scope of authorization attribute, and in- creases the flexibility of data authorization effectively. 1.3 Organization In [21], Liu proposed a hierarchical fine-grained attribute authorization scheme, which implements a scheme based The first section of this paper mainly introduces the dis- on attribute weights. However, this scheme only reached covery, causes and research status of the problem. In the single contrast capability, which cannot be set to the second section, the background knowledge related to the interval attribute weights. (For example, it can only the scheme proposed in this paper will be introduced, so set ”attribute weight” or ”attribute weight ¡value” (later that readers can better understand it. In section three, called ”monotonically contrast”), unable to set ”a value a formal description of the solution model and its secu- ¡= attribute weight ¡= a value” (after the text referred to rity model is presented. Section 4 introduces the specific as ”interval contrast ”) situation). process of the algorithm in this scheme. The fifth section will prove the security of the proposed scheme and make In [22], it uses attribute weights and uses binary way a simple comparison with other schemes proposed in the to compare, increasing the flexibility of the program. literature. The work of this paper will be reviewed and In [23], a flexible attribute weights comparison authoriza- summarized in the last section, and a simple prospect for tion scheme is proposed, which not only supports mono- future research or development direction will be carried tonically contrast, but also supports attribute interval out. (range) contrast, which makes attribute-based authoriza- tion scheme more suitable for practical application scenar- 2 Background ios. In [24], the attributes are compared using 0-encoding and 1-encoding encoding. In [25], the first ABE system 2.1 Bilinear Maps with adaptive safety is proposed using dual system en- cryption. In [26], a CP-ABE scheme with multiple cen- Assume that G and GT are two multiplication cyclic tral authority is proposed, which effectively improves the groups, of which the order is prime number P , g, a gener- computational efficiency of a single CA, and solves the ator of Group G, and then a bilinear map; e : G×G → GT security problem caused by a single CA mastering the exists with the following properties [28]: global master key. In [27], a hierarchical attribute en- • Bilinearity: For any u, v ∈ G; a, b ∈ Z , e(ua, vb) = cryption authorization system is also proposed, but the p e(u, v)ab; system idea is to divide the user with different levels of authorization, but the thought is different from the [21], • Non-degeneracy: For calculation, e(g, g) 6= 1; its main idea is to reduce the complexity of the task from high to low so as to reduce the computing pressure of a • Symmetry: e() is a symmetry operation, i.e., a b b a single institution. e(g , g ) = e(g , g ). International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 139

Definition 2. Compare Attribute Level Operation Meth- ods:

1) Strategy generation algorithm (Ψ): Randomly select a parameter ϕ ∈ Zp, at the same time for the property Ui select two random parameters thetai, µi ∈ Zp; Ψ that attribute U all attributes mapped to an integer, ui,j Z−ui,k θi µi Ψ({ui,j, ui,t}Ui∈U ) = ϕ . 2) Strategy recovery (verification) algorithm (γ): The algorithm is designed to verify the relationship be- tween user weight and access strategy. There are only two structures:

• If ui,j ≤ ui,user,j0 and ui,user,t0 ≤ Figure 1: Scheme diagram of the program model (ui,user,t, Ui,user = (ui,user,j0 , ui,user,t0 ⊆ Ui, γ can calculate the result γ ({u , u } ) (ui,j ≤ui,user,j0 ,ui,user,t0 ≤ui,user,t|Ui∈U) i,j i,t Ui∈U 2.2 q-parallel Bilinear Diffie-Hellman Ex- ∈ Zp in polynomial time; ponent • If ui,j > ui,user,j0 or ui,user,t0 > ui,user,t, Ui,user = (ui,user,j0 , ui,user,t0 ⊆ Ui then γ Definition 1 (q-parallel Bilinear Diffie-Hellman Ex- cannot be obtained in the polynomial time ponent (q-parallel BDHE)). Suppose G, G are the T {ui,j, ui,t}Ui∈U corresponding to the results. multiplication cycle of prime order p, the generator of G is g, there are bilinear mapping e : G × G → GT , The calculation process of is as follows: random selection a, s, b1, b2, ··· , bq ∈ Zp. If an adver- q q+2 2q γ(u ≤u ,u ≤u |U ∈U)({ui,j , ui,t}U ∈U ) sary is given y = {g, gs, ga, ··· , ga , ga , ··· , g2 , i,j i,user,j0 i,user,t0 i,user,t i i u −u q q+2 2q/b i,k i,user,t0 sb a/b a /b a /b a j ,∀ u Z−u u 0 −ui,j µ (g j , g j , ··· , g j , g j , ··· , g 1≤j≤q ), θ i,j µ i,k θ i,user,j i q = (ϕ i i )(ϕ i ) asbk/bj a sbk/bj (g , ··· , g , ∀ ). It is not possible u 1≤j,k≤q;k6=j i,user,j0 Z−ui,k q+1 θ µ a s i i for an adversary to distinguish e(g, g) ∈ GT from = ϕ other elements randomly selected from GT in probabilistic polynomial time. 2.3.2 Linear Secret Sharing Scheme (LSSS)

Set P = {P1,P2, ··· ,Pn} as a set of participants, if P 2.3 Structure of Access Structure and meets the following conditions of Π of linear secret sharing Attribute Weights scheme:

2.3.1 Definition and Construction of 1) The share of the participant on the secret s consti- Comparison-Based Attributes tutes a vector on Zp;

Based on the previous question, we construct a user 2) There is a m rows n columns for the secret shar- attribute level (range) derivation algorithm: In this ing generation matrix M. Existing Map f maps all algorithm, the user can specify the attribute Ui ∈ participants i = 1, 2, ··· , m to U, f(i) maps each U(i = 1, ··· , m), allocate attribute range for Ui to 0 < row of matrix M to a participant. Choose a vector u , ··· , < u < Z, where m is the number of global i,1 i,j v = (s, v2, v3, ··· , vn), s ∈ Zp for the required shared attributes and Z is the maximum value assigned by at- secret, v2, v3, ··· , vn ∈ Zp randomly selected. Then tribute U . The attribute U = {u , u } indicates i i i,j i,t Ui∈U Mv is s about Π’s n shares, and the ith share λi that the specified range of the attribute in the access belongs to the participant f(i). policy is ui,j ≤ Ui,user ≤ ui,t, where Ui,user only rep- resents the attribute value of the user (which may be By using the access structure transformation method a fixed value or range, for example, ”18 o’clock” only in [18], a monotonic access structure is transformed with means that the attribute sequence a fixed value). There linear secret sharing, which is linearly reconstructed for are mapping of Ui → Ψ: when Ui = {ui,j, ui,t}Ui∈U is each linear secret sharing scheme. The specific recon- established, Ψ({ui,j, ui,t}Ui∈U ) is established. Assuming struction method is as follows: Let (M, ρ) represent an that the relationship is ui,user = (ui,user,j0 , ui,user,t0 ) ⊆ access structure T , S ∈ U is an authorization set, let and ui,j ≤ ui,user,j0 , ui,user,t0 ≤ ui,user,t, there the set I = {i : f)i) ∈ S}, the existence of constant set 0 are Ψ({ui,j, ui,t}Ui∈U ) ≤ Ψ({ui,user,j , ui,j}Ui∈U ) and {wi ∈ Zp}i∈I , If λi is a legitimate authorized set for Π for 0 P Ψ({ui,j, ui,t}Ui∈U ) ≤ Ψ({ui,j, ui,user,t }Ui∈U ) order rela- s, i∈I wiλi = s exists, otherwise there will be no such tionships. constant set. International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 140

3 Scheme Formalization and Se- Phase 1: The Adversary chooses the attribute set to be asked U = {u , u } submitted to the Chal- curity Model i i,j i,t Ui∈U lenger, and then the Challenger generates the corre- sponding private attribute key by operating the key 3.1 Concepts of the Scheme Formaliza- generation algorithm and presents them to the Ad- tion versary. In an authorization model comparison-based attributes Challenge: The Adversary chooses and presents to the (range), there is a number of users. In the system, each Challenger two messages MSG0 and MSG1 with the user is assigned a unique identity identifier GID. The CA same length and an authorized access set Q, which he is responsible for distributing the key and managing the wants to challenge. Ui,Ui∈U ∩Q = φ is worthy of note. attribute domain to the user, for the global attribute set The Challenger randomly chooses σ ∈ {0, 1}, com- U = {1, 2, ··· , m}. putes the ciphertext CTσ = Encrypt(δ, MSG, Q), In this paper, there are five algorithms, namely, Setup, and presents the latter to the Adversary. Encrypt, KeyGen, Tp-Dencrypt and Dencrypt. The next five algorithms will be give a formal description: Phase 2: The Adversary repeats the work in Phase 1 and continues to inquire the private attribute key of λ 1) setup(1 → δ): In the system given a safe random an attribute set Oi = {ui,j, ui,t}Oi∈U . O ∩ Q = φ is parameter 1λ as input, the system outputs the global worthy of note. The Challenger computes the private public parameter δ and the system’s master key pa- attribute key according to the attribute value in the rameter MK. attribute set O and presents this attribute key to the Adversary.

2) Encrypt(δ, MSG, T → CT ): The message MSG, 0 the global public parameter δ and the user specified Guess: The Adversary inputs his conjecture about σ ∈ {0, 1} according to the information in hand. If access structure T as input, export ciphertext CT . 0 T as input should be a monotone access structure. σ = σ , then the Adversary wins. The advantage probability of the Adversary’s winning is defined as 0 1 3) KeyGen(MK,S → SK): The host key MK and AdvA := |P r[σ = σ ] − 2 |. the user’s attribute weights set S as input, and the user’s private key SK is output, assuming S ∈ P is 4 Design of the Scheme Algorithm a weighted set of authorizations. In the access structure of this paper, users can submit 0 4) T p − Decrypt(SK,CT → CT ): In order to re- a monotonic access structure with (t, n) threshold, etc. duce the computational pressure when decrypting In the access structure, the user can specify the weight the user, the user submits the private key SK to range of the attribute, and only the user who satisfies the trusted third party agent decrypts the ciphertext the access structure and satisfies the weight range of the 0 and decrypts the ciphertext CT which the proxy de- specified attribute in the access structure can complete crypts to the user, for the next step. the decryption operation. Next, the program execution process is described as follows: 5) Decrypt(SK,CT 0 → MSG): The encrypted data holding user uses the private key SK and the cipher- setup(λ, U): Enter a security parameter λ in the sys- text CT 0 as the input for the system, and the system tem, and the system call group generation algorithm will judge the information provided by the user to generates the multiplication cycle group G and GT run the decryption algorithm. If the user complies of the two order P , group G generated by g, existing with the access policy output MSG, the ⊥ will be map e : G × G → GT ; Select the random number

output and the system will be terminated. α, β, φ ∈ Zp, and select two parameters {θi, µi}Ui∈U for each property. Get the open parameter PK = α α {g, e(g, g) , g , φ, {θi, µi}Ui∈U , h1, h2, ··· , hm}, mas- 3.2 Security Model ter key MK = gα. In the security confirmation process, a Challenger B and Encrypt(δ, MSG, T → CT ): Input message MSG, an Adversary A are defined. The Adversary chooses and global open parameter δ and user specified access challenges a Challenger, and the chosen Challenger ac- structure T as input. Assuming that the attribute cepts this challenge to play an indistinguishable under 0 0 Ui sets the range Pi = {τi, τ }U ∈U , {τi, τ } is the chosen plaintext attack (IND-CPA) game. The rules of i i i interval [ui,j, ui,k] used for the attribute in the at- an IND-CPA game are as follows: tribute access policy. Therefore, Vp = V 0 = i {ρi,ρi}Ui∈U Z−τ0 θτi µ i System Initialization: A challenger inputs a stochastic ϕ i i exists. The data receiver not only needs parameter λ, and then the system’s public parameter to satisfy the attribute access structure specified by δ and master key parameter MK are generated. the user, but also satisfy the specific attribute of the International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 141

range. The monotonic access structure T conversion Proof. The challenger sets the random parameter y by generates a linear secret sharing matrix (M, ρ), which Definition 1, selects a random parameter σ →R {0, 1}, αq+1 ρi maps Mi to specific attributes, and Mi represents and if σ = 0, there is Z = e(g, g) ; Otherwise Z → GT . the i-th row of M. The algorithm randomly selects Before the game begins, A will declare to the B, the access ∗ ∗ ∗ the vector v = (s, v2, v3, ··· , vn), s ∈ Zp for the re- structure M , ρ ) to challenge, where the number of M ∗ quired shared secret; randomly selects rx ∈ Zp. columns is n .

0 Output the ciphertext: Initially. B first randomly selected α ∈ Zp, and α = αs 0 0 q+1 CT = {C = MSG · e(g, g) , (M, ρ),C = α0 + αq+1, there is e(g, g)α = e(g, g)α · e(gα, gα ). gs,C ,C0 }. Among them, i(i∈{1,2,··· ,m}) i(i∈{1,2,··· ,m}) B build parameter h1, h2, ··· , hm, for each x(1 ≤

ρ 0 x ≤ m) corresponds to a random parameter zx ∈ Zp, i Z−ρi θi µ αλi −ri ∗ Ci = ϕ · g hi if there is a set of ρ (i) = x for the index i, then hx = ∗ 2 ∗ n∗ ∗ 0 ri z αM /bi α M /bi α M ∗ /bi Ci = g , i ∈ {1, 2, ··· , m}. g x ·g i,1 , g i,2 , ··· , g i,n ; otherwise, zx hx = g . KeyGen(MK,S → SK): The r ∈ Zp is ran- domly selected by the master key MK and the Phase 1: A Queries an access set S, where S ∗ user’s weight set S as input, and the weight order does not satisfy the access structure M . B randomly selected r ∈ Zp, seeking vector value Ui,user(U ∈S) := V{u 0 ,u 0 } = ∗ i i,user,j i,user,t ui∈Ui∈S −→ n 0 ∗ τ Z−τ w = (w1, w2, ··· , wn ) ∈ Zp to make w1 = −1, θ i µ i ϕ i i of the user attribute is calculated; the ∗ ∗ and for all i have ρ (i) ∈ S, w · Mi = 0. Define q q−1 q−n∗+1 private key SK = {V ,K = ∗ {ui,user,j0 ,ui,user,t0 }ui∈Ui∈S t = r + w1α + w2α + ··· + wn α , so α αr r 0 q q1 q−n∗+1 g g ,L = g ,K = h , ∀U ∈ S} of the user is t r w1α w2α wn∗ α Ui Ui i L = g = g · g · g ··· g ; now output, assuming that S ∈ U is a weighted set of calculate Kx, ∀(x = Ui) ∈ S. First consider authorizations. ∗ zx the case for all i no ρ (i) = x, so KUi = L ; when there are multiple i makes ρ∗(i) = x, be- T p − Decrypt(SK,CT → CT 0): The user submits the αq+1 private key SK to the trusted third party agent de- cause it is not allowed to simulate g , Kx αq+1 crypts the ciphertext and then trusts the third party does not allow similar to g items. Because ∗ q+1 to run the policy recovery (check) algorithm (Υ), of w · Mi = 0, all of the indices including α zx are going to cancel out. As a result, Kx = L · which is calculated by replacing it with the user: j q+1+j−k Q (α /bi)r Q α /bi wk ∗ j=1,2,··· ,n∗ (g k=1,2,··· ,n,k6=j (g ) )Mi,j .

Cc1 = C1/ψ({µi,j, µi,t}Ui∈U ) Challenge: A sends two lengths of the same message Z−µi,k µ µ ρ 0 i,user,j0 θ 1 µZ−ρ1 αλ −r θ i to B as MSG and MSG . B randomly selects = ϕ 1 · g 1 T 1 /ϕ i 0 1 σ →R {0, 1}, encrypts MSGσ, calculates C = sα0 0 s So CT 0 = {C = MSG · e(g, g)αs, (M, ρ),C0 = MSGσ · Z · e(g, g) and C = g , and then ran- 0 0 0 gs, C ,C0 } gives the user the domly selects v2, v3, ··· , vn∗ from B to get v = bi(i∈{1,2,··· ,m}) i(i∈{1,2,··· ,m}) 0 2 0 n∗−1 0 n∗ next step of decryption. (s, sα + v2, sα + v3, ··· , sα + vn∗ ) ∈ Zp ; B 0 ∗ randomly selected ri ∈ Zp, i = 1, 2, ··· , n , available 0 ρ 0 0 ∗ ∗ 0 i Z−ρi −r n Decrypt(SK,CT → MSG): The encrypted data hold- θi µ i P α Mi,j yj bi·s −zρ∗(i) Ci = ϕ ·hρ∗(i) · j=1(g ) ·(g ) · ing user uses the private key SK and the en- j ∗ 0 Q α ·s(bi/bk) Mi,j 0 ri sbi crypted ciphertext CT 0 issued by the system as in- k=1,2,··· ,n∗,k6=j(g ) and Ci = g g . put, and the calculation constant wi ∈ Zp satis- Phase 2: The same as Phase 1. fies P w M = (1, 0, ··· , 0). Decryption first ρi∈S i i 0 calculated: B = e(C ,K) = e(g, g)αs, among ∆ = Guess: A output on the σ speculation, if σ = 0, there ∆ αq+1 Q 0 are Z = e(g, g) ; otherwise Z → GT . If B can (e(Cbi(i∈{1,2,··· ,m}),L)·e(Cb ,KUi = ρi∈S i(i∈{1,2,··· ,m}) win this game, it can also win the Definition 1 by the T 0 ))wi . Finally, it can be concluded that MSG = Ui same advantage. C/B.

5 Security Confirmation and 5.2 Scheme Comparison Comparison In this section, we compare the aspects of security as- 5.1 Security Analysis sumptions, access strategies and policy development flex- ibility, ciphertext length and fine-grained access control Theorem 1. In the selected model, if there is an adver- with [21, 23, 29]. In the ciphertext length, assume that sary A in the probabilistic polynomial time can’t ignore the attribute set is I; access strategy and strategy devel- the advantages of breaking the program, you can solve the opment flexibility to compare its access control and other q-parallel BDHE difficult assumptions. flexibility level, the contrast index for the development of International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 142

Table 1: Scheme comparison

Scheme Ciphertext Size Assumptions Access Strategy and Flexibility Fine-grained Access Control [21] O(nm) q-parallel BDHE Medium Yes [23] O(nm) – Low Yes [29] O(n) l-w BDHI Medium No Our O(nm) q-parallel BDHE High Yes

a variety of policies can be developed access control struc- authorization sharing. The program has the following two ture; the main contrast indicator of fine-grained access characteristics: 1) the data owner can make more fine- control is whether the comparison of attribute weights and grained access control strategy according to the require- the comparison of attribute weights can be achieved in ments, in order to meet the more detailed requirements the scheme strategy, such as whether to control the scope of the same attribute; 2) this paper not only consider of the attribute weight. The specific scheme is shown in the sequence attribute weights, but also make a simple Table 1. comparison and set the attribute authorization interval (range), increase the flexibility of the program and also make it more suitable for practical application scenar- ios. Through the comparative analysis of this scheme and other programs, experiments show that the system of this solution can be better adapted to the real appli- cation scenarios. In the future work, in order to improve the user experience, you can consider ways to use crowd- sourcing [30, 31] to improve system efficiency.

Acknowledgments

Figure 2: Simulation diagram The work was sponsored by National Natural Science Foundation of China Grant No.61772174 and 61370220, Plan For Scientific Innovation Talent of Henan Province Analysis of Table 1, we can see that the proposed Grant No.174200510011, Program for Innovative Re- scheme has better performance in the scheme proposed search Team (in Science and Technology) in Univer- in other literatures. In order to further illustrate the sity of Henan Province Grant No.15IRTSTHN010, Pro- program can meet the needs of social networks in terms gram for Henan Province Science and Technology Grant of performance, this paper simulates the environment i5- No.142102210425, Natural Science Foundation of Henan 4590 3.3MHz, 4G RAM running under Windows 10 Pro- Province Grant No.162300410094, Project of the Cul- fessional; written in eclipse tools using Java, using the tivation Fund of Science and Technology Achievements JPBC 1.2. 0, in order to facilitate comparison, each at- of Henan University of Science and Technology Grant tribute is divided into eight sub-attributes for verification, No.2015BZCG01. a specific description as shown in Figure 2. The number of attributes increases exponentially from 2 to 8, and lin- early increases from 8 (increasing by 8 each time). In References order to show the relationship between the number of at- [1] A. Sahai, B. Waters, “Fuzzy identity-based encryp- tributes and program run time. By calculating the time tion,” in International Conference on the Theory and can be drawn that the program consumed by the time can Applications of Cryptographic Techniques, pp. 457– be applied to multimedia social networks. 473, 2005. [2] V. Goyal, O. Pandey, A. Sahai, et al., “Attribute- 6 Conclusion based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM According to the characteristics of the property, this pa- Conference on Computer and Communications Se- per found that the previous ABE schemes seldom pay curity, pp. 89–98, 2006. attention to the issue of attribute level. Therefore, this [3] J. Bethencourt, A. Sahai, B. Waters, “Ciphertext- paper proposes an encryption scheme based on attribute policy attribute-based encryption,” in IEEE Sympo- weight order, and applies it to multimedia social network sium on Security and Privacy (SP’07), pp. 321–334, to solve the problem of user privacy data protection and 2007. International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 143

[4] L. Cheung, C. Newport, “Provably secure ciphertext [17] Z. W. Wang, Z. Z. Chu, “Efficient mediated policy ABE,” in Proceedings of the 14th ACM Con- ciphertext-policy attribute-based encryption for per- ference on Computer and Communications Security, sonal health records systems,” Journal of Internet pp. 456–465, 2007. Technology, vol. 16, no. 5, pp. 877–883, 2015. [5] Z. Liu, Z. L. Jiang, X. Wang, et al., “Of- [18] L. Zhen, Z. Cao, D. S. Wong, “Efficient generation fline/online attribute?based encryption with verifi- of linear secret sharing scheme matrices from thresh- able outsourced decryption,” Concurrency and Com- old access trees,” Cryptology ePrint Archive, Report putation: Practice & Experience, vol. 29, no. 7, pp. 2010/374. (http://eprint.iacr.org/2010/374) 1–17, 2016. [19] A. Lewko, B. Water, “Decentralizing attribute-based [6] Y. Wu, Z. Wei, R. H. Deng, “Attribute-based access encryption,” in Advances in Cryptology (EURO- to scalable media in cloud-assisted content sharing CRYPT’11), pp. 568–588, 2011. networks,” IEEE Transactions on Multimedia, vol. [20] Y. Zhu, H. Hu, G. J. Ahn, et al., “Comparison-based 15, no. 4, pp. 778–788, 2013. encryption for fine-grained access control in clouds,” [7] Z. Zhang, B. B. Gupta, “Social media security in ACM Conference on Data and Application Secu- and trustworthiness: overview and new direc- rity and Privacy, pp. 105–116, 2012. tion,” Future Generation Computer Systems, 2016. [21] X. Liu, J. Ma, J. Xiong, et al., “Ciphertext-policy hi- (DOI:10.1016/j.future.2016.10.007) erarchical attribute-based encryption for fine-grained [8] M. Y. Shabir, A. Iqbal, Z. Mahmood, et al., “Anal- access control of encryption data,” International ysis of classical encryption techniques in cloud com- Journal of Network Security, vol. 16, no. 6, pp. 437– puting,” TsingHua Science and Technology, vol. 21, 443, 2014. no. 1, pp. 102–113, 2016. [22] S. Wang, K. Liang, J. K. Liu, et al., “Attribute-based data sharing scheme revisited in cloud computing,” [9] J. Han, W. Susilo, Y. Mu, et al., “Improving pri- IEEE Transactions on Information Forensics & Se- vacy and security in decentralized ciphertext-policy curity, vol. 11, no. 8, pp. 1661–1673, 2016. attribute-based encryption,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, [23] Z. Wang, D. Huang, Y. Zhu, et al., “Efficient pp. 665–678, 2015. attribute-based comparable data access control,” IEEE Transactions on Computers, vol. 64, no. 12, [10] C. C. Lee, P. S. Chung, M. S. Hwang, “A survey pp. 3430–3443, 2015. on attribute-based encryption schemes of access con- [24] K. Xue, J. Hong, Y. Xue, et al., “CABE: A new com- trol in cloud environments,” International Journal of parable attribute-based encryption construction with Network Security, vol. 15, no. 4, pp. 231–240, 2013. 0-encoding and 1-encoding,” IEEE Transactions on [11] H. Wang, Z. Zheng, L. Wu, et al., “New directly Computers, vol. 66, no. 9, pp. 1491–1503, 2017. revocable attribute-based encryption scheme and its [25] T. Okamoto, T. Okamoto, K. Takashima, et al., application in cloud storage environment,” Cluster “Fully secure functional encryption: attribute-based Computing, vol. 20, no. 3, pp. 2385–2392, 2017. encryption and (hierarchical) inner product encryp- [12] Y. Zhao, P. Fan, H. Cai, et al., “Attribute-based tion,” in International Conference on Theory and encryption with non-monotonic access structures Applications of Cryptographic Techniques, pp. 62–91, supporting fine-grained attribute revocation in m- 2010. healthcare,” International Journal of Network Secu- [26] Z. Liu, Z. Cao, Q. Huang, et al., “Fully secure multi- rity, vol. 19, no. 6, PP. 1044–1052, 2017. authority ciphertext-policy attribute-based encryp- [13] Y. S. Rao, “A secure and efficient ciphertext-policy tion without random oracles,” in European Sympo- attribute-based signcryption for personal health sium on Research in Computer Security, pp. 278– records sharing in cloud computing,” Future Gener- 297, 2011. ation Computer Systems, vol. 67, pp. 133–151, 2017. [27] H. Deng, Q. Wu, B. Qin, et al., “Ciphertext-policy [14] W. Sun, S. Yu, W. Lou, et al., “Protecting your hierarchical attribute-based encryption with short ci- right: verifiable attribute-based keyword search with phertexts,” Information Sciences, vol. 275, no. 11, fine-grained owner-enforced search authorization in pp. 370–384, 2014. the cloud,” IEEE Transactions on Parallel and Dis- [28] C. C. Lee, M. S. Hwang, S. F. Tzeng, “A New Con- tributed Systems, vol. 27, no. 4, pp. 1187–1198, 2016. vertible Authenticated Encryption Scheme Based on [15] H. Zheng, J. Qin, J. Hu, et al., “Threshold at- the ElGamal Cryptosystem,” International Journal tribute?based signcryption and its application to au- of Foundations of Computer Science, vol. 20, no. 2, thenticated key agreement,” Security & Communica- pp. 351–359, 2009. tion Networks, vol. 9, no. 18, pp. 4914–4923, 2016. [29] J. Li, Q. Wang, C. Wang, et al., “Enhancing [16] W. Li, K. Xue, Y. Xue, et al., “Tmacs: A robust attribute-based encryption with attribute hierarchy,” and verifiable threshold multi-authority access con- Mobile Networks & Applications, vol. 16, no. 5, trol system in public cloud storage,” IEEE Transac- pp. 553–561, 2011. tions on Parallel and Distributed Systems, vol. 27, [30] Z. Zhang, R. Sun, X. Wang, et al., “A situational no. 5, pp. 1484–1496, 2016. analytic method for user behavior pattern in multi- International Journal of Network Security, Vol.21, No.1, PP.137-144, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).17) 144

media social networks,” IEEE Transactions on Big Guoqin Chang, is a postgraduate student of Laboratory Data, 2017. (DOI:10.1109/TBDATA.2017.2657623) of Intelligent Computing & Application Technology for [31] Z. Zhang, K. K. R. Choo, A. K. Sangaiah, et al., Big Data, Henan University of Science and Technology. “Crowd computing for social media ecosystems,” Ap- Her research interests in intelligent information processing plied Soft Computing, vol. 66, pp. 492–494, 2018. and data mining.

Biography

Cheng Li is currently a postgraduate majoring in Com- puter Science, Information Engineering College, Henan University of Science & Technology. His research interest focuses on information security, applied cryptography and multimedia social networks security. Zhiyong Zhang, born in 1975 October, earned his Master, Ph.D. degrees in Computer Science from Dalian University of Technology and Xidian University, P. R. China, respectively. He was post-doctoral fellowship at School of Management, Xi’an Jiaotong University, China. Nowadays, he is a full-time Henan Province Distinguished Professor, Ph.D. Supervisor and Dean with Department of Computer Science, Information Engineering College, Henan University of Science & Technology. He was also a visiting professor of Computer Science Department of Iowa State University. Prof. Zhang and research interests include multimedia content security and soft computing, social big data analytics, digital rights management, and so on. He is IEEE Senior Member (06’M, 11’S), ACM Senior Member (08’M, 13’S), IEEE Systems, Man, Cybermetics Society Technical Committee on Soft Computing. And also, he is Editorial Board Member of Multimedia Tools and Applications (Springer, SCI), Neural Network World (Czech Republic, SCI), Journal on Big Data (Springer) and EURASIP Journal on Information Security (Springer), Associate Editor of Human-centric Computing and Information Sciences (Springer), Leading Guest Editor/Co-Guest Editor of Applied Soft Computing (Elsevier, SCI), Computer Jour- nal (Oxford, SCI), Future Generation Computer Systems (Elsevier, SCI), as well as International Advisory Board Member of International Journal of Cloud Applications and Computing (IGI Global). Recent years, he has published over 120 scientific papers and edited 6 books in the above research fields, and also holds 10 authorized patents. International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 145

A Provable Secure Short Signature Scheme Based on Bilinear Pairing over Elliptic Curve

Subhas Chandra Sahana and Bubu Bhuyan (Corresponding author: Subhas Chandra Sahana)

Department of Information Technology, North-Eastern Hill University Shillong, Meghalaya, India (Email: [email protected]) (Received July 31, 2017; revised and accepted Oct. 22, 2017)

Abstract applications where signatures are going to be printed on papers or CDs, the signature size is the principal factor. Currently, short signature is receiving significant atten- Due to its numerous application, many short signature tion since it is particularly useful in communication with schemes have been proposed fitted in different cryptosys- low-bandwidth as the size of the generated signature is tem. For example, the short signature schemes in [2,14,20] shorter than other conventional signature schemes. In this are Public Key Infrastructure (PKI) based and the short paper, a new short signature scheme is proposed based on signature schemes in [10,12,17] are fitted in certificate-less bilinear pairing over elliptic curve. The proposed scheme cryptosystem. is efficient as it takes lesser number of cost effective pair- In 2001, the first short signature scheme, called BLS [7] ing operations than the BLS signature scheme. Moreover, signature, was proposed by Boneh, Lynn and Shacham. the proposed scheme does not require any special kind of Since then, short signature has been investigated inten- hash function such as Map-To-Point hash function. The sively and many short signature schemes have been pro- efficiency comparison of the proposed scheme with other posed [1,19]. The technique behind the achieved a shorter similar established short signature schemes is also done. length signature is the use of bilinear pairing over the el- The security analysis of our scheme is done in the random liptic curve group. Actually, the elliptic curve group pro- oracle model under the hardness assumptions of a mod- vides shorter key size with same security level of Diffie- ified k-CAA problem, a variant of the original k-CAA Hellman (DH) group. The Table 1. shows the NIST’s problem. In this paper, we also provide an implementa- recommendation of key size to be used for achieving same tion result of the proposed scheme. security level of symmetric key cryptosystem. It can be Keywords: BLS Signature Scheme; Bilinear Pairing; El- observed from the table that Elliptic Curve Cryptography liptic Curve; Map-To-Point Hash Function; Short Signa- (ECC) has the shorter key size than the RSA with same ture level of security. Table 2 shows the comparison on the number of bits 1 Introduction present in the produced signature of different signature generation algorithms. From the table it is clear that Short signature is a variant of digital signature. As the to get a security level of λ bits, the BLS, Schnoor, size of the signature generated by a short signature scheme ECDSA, RSA signature scheme produces a signature of 3 is shorter so, it is suitable in low-bandwidth communica- size 2λ, 3λ, 4λ, O(λ ) bits respectively. tion environments. For instance, as said in Bellare and Recently, bilinear paring mainly Weil pairing and Tate Neven [5] (2006), wireless devices have a short battery pairing are used as tools to construct variant signa- life. Communicating even one bit of information uses es- ture schemes. There are some cryptographic schemes sentially more power than executing one 32-bit instruc- which can only be constructed by bilinear pairing, for tion (Barr and Asanovic, 2003). Consequently, dimin- example ID-based encryption, non-trivial aggregate sig- ishing the number of bits in communication saves power nature, tripartite one round Diffie-Hellman key exchange, and increase the battery life. In numerous settings, com- etc. Besides these, some primitives which can be con- munication channels are not reliable. So with the short structed using other techniques, but for which pairings signature, it reduces the number of bits to be sent over provides improved functionality and makes the crypto- a communication channel. In addition to this, signature graphic schemes simple and efficient such as tripartite one scheme with shorter signature length has higher prior- round Diffie-Hellman key exchange, etc. Short signature ity in many applications. For example, considering those can provide a high security level with relatively shorter International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 146

2.1 Bilinear Pairing Table 1: Recommend key sizes NIST [3] Symmetric RSA and Elliptic Let G1 be an additive cyclic group generated by P whose Key Size Diffie- Curve Key order is a prime q and G2 be a multiplicative cyclic group (bits) Hellman size (bits) of the same order q.A bilinear pairing is a map e : Key Size G1 × G1 → G2 with the following properties: (bits) ab • Bilinearity: e(aP, bQ)= e(P,Q) for all P,Q ∈ G1 80 1024 160 ∗ and all a,b ∈ Zq . 112 2048 224 128 3072 256 • Non-Degenerate: There exists P,Q ∈ G1 such that 192 7680 384 e(P,Q) 6= 1. 256 15360 512 • Computable: There is an efficient algorithm to compute e(P,Q) , for all P,Q∈ G1. Table 2: Signature size at security level λ = 128bits Algorithm Signature λ = 128 2.2 Diffie-Hellman Problem size (bits) Actually, the cryptographic schemes from bilinear pair- RSA [8] O(λ3) 2048 ing are based on the difficulty of solving certain Diffie- ECDSA [11] 4λ 512 Hellman problem which is assumed to be a hard problem. Schnorr [16] 3λ 384 • Decisional Diffie-Hellman Problem (DDHP): BLS [7] 2λ 256 ∗ For a, b, c ∈R Zq , If P, aP, bP, cP is given, to decide whether c ≡ ab mod q, is known as Decisional Diffie- signature length. The best known shortest signature is Hellman Problem. The DDHP is not a hard problem BLS [7] short signature which has half the size of a Dig- as bilinear pairing can be used to solve this decision ital Signature Algorithm (DSA) [9] signature but gives a problem in polynomial time. same security level. The DSA [9] was the best known al- • Computational Diffie-Hellman Prob- gorithm to generate a shorter length signature before the lem(CDHP): introduction of bilinear pairing. The length of the gener- ∗ For a, b ∈R Zq , given P, aP, bP , to compute abP is ated signature by the DSA [9] over the finite field Fq is known as Computational Diffie-Hellman Problem about 2 log q. On the other side, using bilinear pairing as which is a hard problem. a tool, the signature length is approximately α log q where α = log q/log r and r is chosen in such a way that it is • Gap Diffie-Hellman (GDH) group: the largest prime divisor of the total number points on an A group G is called a Gap Diffie-Hellman (GDH) elliptic curve. The logic behind of using elliptic curve is group if DDHP can be solved in polynomial time but to get same level of security of RSA cryptosystem using no probabilistic algorithm can solve CDHP with non- lesser number of bits used in underline field on which the negligible advantage within polynomial time in G. elliptic curve constructed. From the Table 1, it is clear • k-CAA Problem: For a inte- that if we decide to use NISTs figure, then to achieve 256 ger k, given P, sP and k pairs bits of security level, we will need to select a elliptic curve  1   1   1  group E( ) of size 512 bits. On the other hand, it is e , .P , e , .P , e , .P Fq 1 s + e 2 s + e 3 s + e equivalent to a field of size 15360 bits. 1 2 3 Fq  1   1  The rest of this paper is organized as follows: In Sec- ...... e , .P ; compute e, .P for k s + e s + e tion 2, some basic preliminaries behind our work are dis- k some e∈ / {e , e , e ...... e }. It is believed that the cussed. In Section 3, a new short signature scheme in- 1 2 3 k k-CAA problem is a hard problem. The problem spired by Sedat et al. [1] is proposed from bilinear pair- firstly introduced by Mitsunari et al. [13]. However, ing, followed by, security analysis of the proposed scheme the security of our proposed scheme is based on a in the random oracle model is done in Section 4. In Sec- modified version of the original k-CAA problem. tion 5, an implementation results have been given. The We call it as the Modified k-CAA Problem which is efficiency analysis of our scheme with most similar estab- the cubic version of the original k-CAA problem. lished signature schemes has been provided in Section 6. Finally, we conclude our work in Section 7. • Modified k-CAA Problem: For a integer k, given P, sP and k pairs ( ) ( )  1 3  1 3 2 Preliminaries e1, · P , e2, · P , s + e1 s + e2 (  3 ) (  3 ) In this Section, the basic mathematical background on 1 1 e3, · P ··· ek, · P ; which the proposed scheme stans has been discussed. s + e3 s + ek International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 147

 1 3 Theorem 1. Let us assume that there is an adaptively Compute {e, · P } for some e∈ / s + e chosen message attacker F (t, qh, qs, )-breaks the proposed {e1, e2, ··· , ek}. The modified k-CAA problem is scheme where it is assumed that F makes qh queries to the not harder than original version of k-CAA prob- hashed oracle and qs queries to signature oracle and can lem [18]. break the proposed scheme with non-negligible probability  and time t. Then there exists an algorithm A which, as a black box, can solve the modified k-CAA with non- 3 The Proposed Short Signature negligible probability

Scheme !qs+1 0 1 1  ≥ . 1 − . Our proposed scheme has been constructed from symmet- qs qs + 1 ric bilinear pairing, which means the two input groups in pairing operation are same. Let G and G be cyclic addi- 0 1 2 and time t ≤ t+tserach.qs +C.qh +ts, where tserach is the tive and multiplicative group respectively of prime order time to searching a list , C is the constant time for each q each. Let P is the generator point of G and the bilinear 1 hash request and ts is the running time of the simulator. map is the e : G1 × G1 → G2. Let H be general cryp- tographic hash function such as MD5, SHA-1. Suppose We assume that F is well-behaved in the sense that it that Alice wants to send a signed message to Bob. Like always requests the hash of a message m before it requests other signature scheme, the proposed scheme consists of a signature for m, and that it always requests a hash of a four steps. message m for which it outputs as its forgery.It is trivial to achieve this property by modifying any forger algorithm 1) System Initialization: In this step all the system pa- F . In addition to this, it is needed that A would be rameters G1,G2, e, q, P, H are setup. engaged in a certain amount of book-keeping work. In ∗ particular, it must maintain a list of the messages mi on 2) Key Generation: A random value x ∈ Zq cho- 3 which F requests hashed value hi and signatures σi. sen by Alice and computes Ppub1 = x P,Ppub2 = 2 3x P,Ppub3 = 3xP . In this setup, Ppub1Ppub2,Ppub3 Proof. Suppose that A is a given a challenge: are the public keys, x is the secret key. For a integer k, given P, sP and k pairs (  3 ) (  3 ) 3) Signing: Given a secret key x and a message m, Alice 1 1 e1, .P , e2, .P , computes the signature σ = (H(m) + x)(−3)P . s + e1 s + e2 ( ) ( )  1 3  1 3 4) Verification: Using public keys Ppub1,Ppub2,Ppub3, a e3, · P ··· ek, .P ; message m and a signature σ, Bob verifies the signa- s + e3 s + ek ture σ by the following equation holds or not.  1 3 Compute {e, · P } for some e∈ / s + e 3 2 e(H(m) P +Ppub1 +Ppub2H(m)+Ppub3H(m) , σ) {e1, e2, ··· , ek}. Now, A and F play the role of = e(P,P ) challenger and adversary respectively.

If the above equation holds, Bob accepts the signature σ 4.1 Construction of A of the message m otherwise bob rejects it. For Simplicity, A is constructed in a series of games. Each Correctness: game is a variant of the previous game. It is worth of men- 3 2 e(H(m) P + Ppub1 + Ppub2H(m) + Ppub3H(m) , σ) tioning that A1, A2, A3 and A4 denotes the adversary for = e((H(m)3 + x3 + 3x2H(m) + 3xH(m)2)P, σ) the Game 1, Game 2, Game 3 and Game 4 respectively. (H(m)+x)−3(H(m)+x)3 The A has the power to simulate the behavior of the at- = e(P,P ) tacker F . In each game, we will use a probability ξ which = e(P,P ) will be optimized later. The symbol βξ denotes the prob- ability distribution over the set {0,1} where 1 is drawn from the set with probability ξ and 0 with (1 − ξ). 4 Security Analysis Game 1. In setup, all the system parameters are gener- ated. The public parameter are published in the pub- In this Section, we give the security proof for our proposed lic. The secret parameter s is kept secret from the A short signature scheme in the random oracle model. The and from F .The public keys pk are constructed, as above short signature is secure against existential forgery follows. under adaptive chosen message attack in the random ora- 3 cle model with the assumption that the modified k-CAA • Ppub1 = s P ; 2 Problem in G1 is hard. • Ppub2 = 3s P ; International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 148

• Ppub3 = 3sP . Game 3. A3 acts as does A2, with a minor difference. If F unable to forge signature, A also fails. If F able All the above public keys are sent to attacker F . The 3 to forge signature for the message m∗ then A also values of sP = 3−1P is given to the algorithm A. i pub3 claims the success to get a solution to the undertaken Then, for each message m , 1 ≤ i ≤ q , A picks a ∗ i h 1 computational problem if si = 1 and F would submit R random bit si ←− βξ and set H(mi) = hi. The value signature query only for the message mi for which of hi is set to ei where 1 ≤ i ≤ qh and return the si = 0. value ei as a response of the has query. When the As no information is supplied about the si to the F , Adversary F makes a signature query on a message each signature query can cause A to declare a failure mi, then the A searches the ei value in the list and with probability (1 − ξ). Thus we have  1 −3 return .P as a responded signature. Ac- s + ei k tually, the list consists of the tuple {mi, ei, σi}, where AdvA3 = AdvA2 .P r[sij = 0, j = 1....k] = ξ.(1 − ) the message mi is stored in a list with its hashed qs  1 −3 ≥ (1 − ) ξ value ei, and its signature σi = .P . s + ei Game 4. A acts like A does. However, if A succeeds,  −3 4 3 4 1 ∗ 1 3 Note that, (mi,pk, hi = ei, σi = P ) outputs σ = ( ) P as forgery of the message s + ei s + e is valid Diffie-Hellman tuple as it passes the signa- mi∗ , where e is the hashed value of the massage mi∗ , ture verification process. i.e. H(mi∗ ) = e for which F output a forged signa- ∗ ture σ . Clearly, A4 succeeds with precisely the same 3 L.H.S. = e(H(mi) P + Ppub1 + Ppub2H(mi) probability as A3, so 2 + Ppub3H(mi) , σi) 3 AdvA4 = AdvA3 = e(ei P + Ppub1 + Ppub2ei = Adv .P r[s = 0, j = 1, 2, ··· , k]  1 −3 A2 ij 2 k + Ppub3ei , .P ) = (1 − ) ξ s + ei q 3 3 2 2 −3 ≥ (1 − ) s ξ. = e(ei + s + 3s ei + 3sei )P, {s + ei} .P ) (e +s)−3(e +s)3 = e(P,P ) i i ∗ Moreover, A4 only succeeds if si = 1, which means ∗ ∗ = e(P,P ) that hi = e and σ is the signature of the message ∗ ∗ ∗ ∗ = R.H.S m indexed by i , then (mi ; pk; σ ) must be a valid  1 3 Diffie-Hellman tuple, so σ∗ = P , which is s + e Finally, F halts, either conceding he failed or return- indeed the solution of the modified k-CAA problem. ∗ ∗ ∗ ∗ ing a forged signature (m ; σ ), where m = mi for As per the games, disscussed above the A can solve 0 some i∗ on which F he did not requested a signature. the modified k-CAA problem with probability  ≥ Suppose F succeeds in forging, A1 outputs success; (1 − )qs ξ. otherwise, it outputs ”failure”. Thus 4.2 Optimization and Conclusion  F AdvA1 = P rob. A1 (modified k-CAA Problem) In this subsection, we want to optimize the parameter ξ  to achieve a maximal probability of success. The function 1 = success (1 − ξ)qsξ is maximized at ξ = , where it has the qs + 1   value = P rob. V erify(pk, m∗, σ∗) = V alid !qs !qs+1 1 1 1 1 =  . 1 − . = . 1 − . qs + 1 qs + 1 qs qs + 1 Game 2. A2 acts as does A1, with a little difference. If F fails, A2 outputs ”failure”; if F succeeds, giving So, the modified k-CAA problem can be solved by the output a forgery (m∗, σ∗), where i∗ is the index of !qs+1 0 1 1 ∗ ∗ A with probability  ≥ . 1 − . m , then A2 outputs success, if si = 1, but failure if qs qs + 1 s ∗ = 0. Clearly, F can get no information about any i Next, we would estimate the time taken by A to solve s ∗, so its behavior cannot depend on their values. As i the modified k-CAA problem. A’s running time includes the value of s ∗ = 1 is chosen from the set {0, 1} with i the running time of F . The additional overhead imposed probability ξ thus we have by A, is dominated by the need to search the list contain- ∗ AdvA2 = AdvA2 .P r[si = 1] = ξ. ing the tuples {mi, ei, σi} for getting the corresponding International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 149 signature, queried by F . Except the searching cost, no 14873865704216658622752136882995707071770929985204 extra computation involved to generate the signature be- 2269728915887678507962335880209573733453, 86895239 cause the signatures are already given in the problem. We 18563758982056666423922767096191922774023324509608 can assume constant amount time needed for each hash re- 68772463768039101268313400354970675113261572051882 quest from F as the hashed values are already given in the 3046921034904851084360618485324305660338117047]. problem. Let us assume that the time needed for search- ing the list tsearch. So, the total running time needed to To verify, the message is hashed using cryptographic hash answer as many as (qs + qh) such requests, is function H and generate the hashed message as: H(m) =

0 441854721793313555354423734373189812993762095987. t ≤ t + tsearch.qs + C.qh + ts, where C, t are constant time to serve a hash query and Compute the pairing: s 3 2 running time of the simulator respectively. e(H(m) P + Ppub1 + Ppub2H(m) + Ppub3H(m) , σ) = [1120539905030284386666594372752990165598444056724 45344618219640847132537270510436302325301680489741 5 Implementation Result 91419592471435523808930098392282225166595052035468 24425, 8026017746651598938313304770558504235314467 The proposed scheme has been implemented using Pairing 20028089621862621602849870011382901646770550520983 based cryptography (PBC) library [15]. The explanation 49160063385074718510818542219066791183590504166149 of the result of the proposed scheme is given below. 112060847591]. P = [192986486123713519393909328933523037284784 91004662265196503727693139637922709870433202758965 Compute the pairing: 13457059148073430447824268885706106109906254206093 e(P,P) = [11205399050302843866665943727529901655984 280693836, 501420448535073578989280727624093969333 44056724 45344618219640847132537270510436302325301 85741208012663562069875078736229197761631701102288 680489741 9141959247143552380893009839228222251665 66412462023685774069351431940207437204128961514477 9505203546 824425, 80260177499515989381330477055850 050043811715742]. 4235314467 2002808962186262160284987001138290164677 0550520983 4916006385074718510818542290667911835905 Let x = [1265908932634150451647717716712340277 0416614911 2060847591]. 08815422770] be the secret key. P = [441689870023147090314403447339502824958611 pub1 From the above result, we can claim that the signature is 68245371714845567562608664843497742265604064077942 valid. 57867578675786195471261396070944205290475705582841 7854661281237608698, 34360822137243754182196882839 97667670494305117850675397880306409364822200407239 96368559693036272553667711608621748740995578549186 5.1 Running Time Efficiency Comparison 17618318334875150086572529] be the first public key. We compare running time of our proposed scheme with other three established short signature schemes i.e. Ppub2 = [19592480446279217949323193484764934053494 03661038358823669680250914482416056635807620995525 BLS [7], ZSS [19], Sedat [1]. All the schemes have been 11498174693498774587900294239228651778055439102034 implemented using Pairing-Based Cryptography (PBC) 608839661404887, 494932513117050606495199878175923 library [15] in C on Linux systems with an Intel Core i3 63599436085377815538669761267040792935628973099520 CPU 2.13GHz and 6.00GB RAM. All schemes are dif- 76315362404051854588737494637770645919286622782851 ferent in the process of user-key-generation, signature- 288494074935292488790] be the second public key. generation and the signature-verification. So, it is worth of giving a running time comparison of all the schemes, in the phases of key generation, signature generation and the Ppub3 = [177947893349060111593373570739170119977352 81536961967944958277308829161095598576985932011979 signature verification. The running time and signature 74932404668694060764315425265578143926947470957791 length of all the schemes can be seen in Table 3. The |G1| 09360055160,73855654342439210919869820314375450311 denotes the size of an element in the group G1. For easy 00042376054573955814295886041128145544221416232106 understanding, the results which is given in Table 3 have 67884397800716188170054984546984622552622105684703 been represented by bar chart separately. Figure 1, Fig- 117970371757588] be the third public key. ure 2 and Figure 3 illustrate the the running time in the phases of user-key-generation, signature-generation and The message m is hashed using cryptographic hash the signature-verification respectively. function H and the message digest value H(m) = 4418547219333555354423734373189812993762095987. Signature of the message is: σ = [4346107938024 46962992888284367076304445172433417427304324796033 International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 150

7.6 Table 3: Comparison of the running time 7.4 Scheme Keygen Sign Verify Signature (ms) (ms) (ms) Length 7.2 BLS [7] 6.592 5.6 8.680 |G1| ZSS [19] 6.42 5.5 13.902 |G1| 7 Sedat [1] 6.418 5.51 16.117 |G1| Proposed 7.5 5.105 7.549 |G1|

Time [MS] 6.8 Table 4: Operation notation and description 6.6 Notation Description 6.4 τpo Execution of a bilinear pairing operation ∗ BLS [7] ZSS [19] Sedat [1] Proposed τinv Execution of an inversion in Zq Schemes τh Execution of a hash function τp−add Execution of an point addition in Figure 1: User Key Generation G1 τsqu Execution of a square operation ∗ in Zq τcube Execution of a cube operation in 5.6 ∗ Zq τsm Execution of scalar multiplica- 5.5 tion in G1 τec−add Execution of a elliptic curve 5.4 point addition G1 τMTP Execution of Map to point hash function 5.3 Time [MS]

5.2 6 Efficiency Analysis

5.1 Sometimes, relying on the running time is not up to the mark as it may be heavily affected by several factors such BLS [7] ZSS [19] Sedat [1] Proposed as the machine may be heavily loaded or lightly loaded Schemes at the execution time of the programs. So, it is worth of giving theoretical efficiency comparison of our proposed Figure 2: Signature Gneneration scheme. The various notations for time complexity of the operations involved in those schemes are given in the Ta- ble 4. The efficiency comparison of our proposed scheme with the scheme BLS [7], ZSS [19] and Sedat et al. [1] 16 is shown in Table 5. In the proposed scheme, the value of e(P,P ) can be pre-computed. It can be claimed that, the signature verification process of the proposed scheme 14 is constructed with only one bilinear pairing operations but the BLS [7] scheme has two bilinear pairing opera- 12 tions. In pairing based cryptographic scheme, it is well known that compare to other operations, pairing oper-

Time [MS] ation is the most time consuming operation. Instead of 10 many attempts [4] to reduce the cost of pairing operation, still the pairing operation is very costly. 8 7 Conclusions BLS [7] ZSS [19] Sedat [1] Proposed Schemes The scheme presented in this paper is based on bilinear pairing. The main advantage of our proposed scheme is Figure 3: Signature Verification that it does not require any special kind of hash function International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 151

[9] Federal Information Processing Standards Publica- Table 5: Efficiency Comparison tion, Digital Signature Algorithm (DSA), FIPS 186, Schemes Key- Signing Verification May 19, 1994. Generation [10] Y. H. Hung, Y. M. Tseng, and S. S. Huang, “A re- BLS [7] 1τsm 1τsm + 1τMTP + vocable certificateless short signature scheme and its 1τMTP 2τpo authentication application,” Informatica, vol. 27, no. ZSS [19] 1τsm 1τsm + 1τsm + 3, pp. 549–572, 2016. 1τh+τinv 1τh + 1τpo + [11] D. Johnson, A. Menezes, and S. Vanstone, “The el- 1τp−add liptic curve digital signature algorithm (ECDSA),” Sedat 2τsm + 1τh + 2τsm +1τh + International Journal of Information Security, vol. 1, Ak- 2τsqu 1τinv + 1τsqu + no. 1, pp. 36–63, 2001. ley [1] 1τsqu + 1τpo + [12] A. Karati and G. P. Biswas, “Cryptanalysis and im- 1τsm 2τp−add provement of a certificateless short signature scheme Proposed 3τsm + 1τsm + 3τsm +1τh + using bilinear pairing,” in Proceedings of the In- 1τsqu + 1τcube + 1τcube + ternational Conference on Advances in Information 1τcube 1τh + 1τsqu + Communication Technology & Computing, pp. 64– 1τinv 1τpo + 79, 2016. 3τp−add [13] S. Mitsunari, R. Sakai, and M. Kasahara, “A new traitor tracing,” IEICE Transactions on Fundamen- tals of Electronics, Communications and Computer such as map-to-point hash function. Any general crypto- Sciences, vol. 85, no. 2, pp. 481–484, 2002. graphic hash function such as MD5, SHA-I can be used [14] N. A. Moldovyan, “Short signatures from difficulty for creating the hashed value from a massage. Moreover, of factorization problem,” International Journal of our proposed scheme requires only one pairing operation Network Security, vol. 8, no. 1, pp. 90–95, 2009. where BLS [7] scheme requires two pairing operations in [15] PBC Library, The Pairing Based Cyptography, Aug. the process of signature verification. 12, 2018. (https://crypto.stanford.edu/pbc/) [16] C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, References pp. 161–174, 1991. ¨ [17] J. L. Tsai, “A new efficient certificateless short signa- [1] S. Akleylek, B. B. Kirlar, O. Sever, Z. Y¨uce, Short ture scheme using bilinear pairings,” IEEE Systems Signature Scheme from Bilinear Pairings, RTO-MP- Journal, vol. 11, no. 4, pp. 2395–2402, 2017. IST-091, 2011. [18] R. Tso, X. Yi, and X. Huang, “Efficient and [2] J. Alperin-Sheriff, “Short signatures with short pub- short certificateless signature,” in International lic keys from homomorphic trapdoor functions,” in Conference on Cryptology and Network Security IACR International Workshop on Public Key Cryp- (CANS’08), pp. 64–79, 2008. tography, pp. 236–255, 2015. [19] F. Zhang, R. Safavi-Naini, and W. Susilo, “An ef- [3] E. Barker, W. Barker, W. Burr, W. Polk, and ficient signature scheme from bilinear pairings and M. Smid, “Recommendation for key management its applications,” International Workshop on Public part 1: General (revision 3),” NIST Special Publi- Key Cryptography (PKC’04), pp. 277–290, 2004. cation, vol. 800, no. 57, pp. 1–147, 2012. [20] M. Zhang, B. Yang, Y. Zhong, P. Li, and T. Takagi, [4] P. S. Barreto, B. Lynn, and M. Scott, “On the “Cryptanalysis and fixed of short signature scheme selection of pairing-friendly groups,” in Interna- without random oracle from bilinear parings,” Inter- tional Workshop on Selected Areas in Cryptography national Journal of Network Security, vol. 12, no. 3, (SAC’03), pp. 17–25, 2003. pp. 130–136, 2011. [5] M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proceedings of the 13th ACM Conference on Com- Biography puter and Communications Security, pp. 390–399, 2006. Subhas Chandra Sahana was born at Bankura, India. [6] D. Boneh and M. Franklin, “Identity-based encryp- He Received the B.Tech (bachelor degree) in Computer tion from the weil pairing,” in Advances in Cryptol- science and Engineering from Jalpaiguri Govt. Engineer- ogy (CRYPTO’01), pp. 213–229, 2001. ing College under West Bengal University of Technology. [7] D. Boneh, B. Lynn, and H. Shacham, “Short signa- He got his M.Tech(IT) degree from Tezpur University , tures from the weil pairing,” in Advances in Cryptol- Assam and pursuing Ph.D. in North-Eastern Hill Uni- ogy (ASIACRYPT’01), pp. 514–532, 2001. versity. His research interest includes Cryptography and [8] D. Boneh et al., “Twenty years of attacks on the rsa Network Security, Algorithm Analysis and Design, Infor- cryptosystem,” Notices of the AMS, vol. 46, no. 2, mation Theory and Coding etc.. Currently he is Assistant pp. 203–213, 1999. Professor in the department of Information Technology, International Journal of Network Security, Vol.21, No.1, PP.145-152, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).18) 152

North Eastern Hill University, Shillong, Meghalaya, In- dia. Dr. Bubu Bhuyan was born in India. He received his M.Tech (IT) and Ph.D. degree from Tezpur University and Jadavpur University respectively. His research in- terest includes Cryptography and Network Security, Al- gorithm Analysis and Design, Information Theory and Coding etc.. Currently he is Associate Professor in the de- partment of Information Technology, North-Eastern Hill University, Shillong, Meghalaya, India. International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 153

Identification and Processing of Network Abnormal Events Based on Network Intrusion Detection Algorithm

Yunbin He (Corresponding author: Yunbin He)

College of Physics and Information Engineering, Zhaotong University Room 101, Unit 1, Building 3, Zuanshi Renjia, Zhuquan Road, Zhaoyang district, Zhaotong, Yunnan, China (Email: [email protected]) (Received May 31, 2018; revised and accepted Sept. 7, 2018)

Abstract growing data are individual information and confidential information of enterprises which need to be kept secret, With the popularity of the Internet, people’s lives are but these data are very easy to induce malicious network becoming more and more convenient, but the network se- attacks because of their business values [4]. curity problems are also becoming increasingly serious. In the Internet age, software used for network attacks In order to better prevent internal or external malicious is easy to obtain, making the unlawfully malicious at- attacks and protect the network security of users, this tacks easily made without professional knowledge. These study chose deep neural network (DNN) learning algo- malicious network attacks have seriously affected the use rithm and convolutional neural network (CNN) learning of network and computers. Many studies have stud- algorithm as network intrusion detection algorithms and ied this problem. Hong et al. [1] put forward a multi- tested two algorithms under different parameters and ac- stage distributed vulnerability detection, measurement tivation functions with KDD99 data set on the MATLAB and game selection mechanism based on attack graph simulation platform. Moreover, the performance of the analysis model and reconfigurable virtual network, and algorithms was compared with those of other clinic al- built the monitor and control plane on distributed pro- gorithms and deep learning algorithms. The results sug- grammable virtual switches using OpenFLUE Applica- gested that the recognition performance of DNN and CNN tion Program Interface (API) to significantly improve at- learning algorithms was different under different network tack detection ability and mitigate consequences of at- parameters and activation functions. When ReLU func- tacks. The system and security assessment suggested that tion was used as the activation function, the recogni- the proposed solution was effective and efficient. tion performance was the best. The network parame- ters of DNN and CNN were 122-250-520-250-5 and was To improve the security of in-vehicle network, Kang 10(18)-14(22)-16 (18), respectively. The recognition per- et al. [2] proposed a deep neural network (DNN) based formance of DNN and CNN learning algorithms were bet- intrusion detection system and the technology to initial- ter than those of the classical algorithms, self-organizing ize parameters using the non-supervised pre-training of map (SOM) and support vector machine (SVM) algo- deep belief network to improve detection preciseness. The rithms, but was worse than that of dynamic Bayesian experimental results demonstrated that the technology network (DBN) algorithm. DNN was superior to DBN could produce real-time response to attacks on the bus in the aspect of false alarm rate; overall, DNN algorithm of controller area network and improve the detection rate was superior to DBM algorithm. significantly. Hodo [3] proposed dealing with malicious at- tacks on the Internet with artificial neural network (ANN) Keywords: Convolutional Neural Network; Deep Neural and focused on the classification of normal mode and Network; Detection Algorithm; Network Security threat mode on the network. The experimental results demonstrated that the method had a preciseness of 99.4% 1 Introduction and could detect all kinds of distributed denial of service (DDoS) attacks successfully. With the development of the Internet and the popular- In this study, DNN learning algorithm and convolu- ity of computers, information sharing and communication tional neural network (CNN) learning algorithm were se- between people are becoming more frequent. The flow of lected as network intrusion detection algorithms, and the data in the network is also growing, and a large part of the two algorithms are tested with KDD99 data set under dif- International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 154

ferent parameters and activation functions on the MAT- where ys is the s-th element in output vector y. LAB simulation platform. Finally, it was compared with The result is obtained after extraction feature is input, the performance of other classical algorithms and depth and such a process is known as forward propagation pro- learning algorithms. cess. Finally, the result of the output layer needs to be compared with the guidance signal, and the correspond- ing optimization algorithm is needed in the comparison. 2 Network Intrusion Detection At present, the common optimization algorithm is the stochastic gradient descent based error back propagation 2.1 Intrusion Detection Model algorithm [9]. Figure 1 shows a simple model of network intrusion detec- tion [5]. It could be seen from Figure 1 that the intrusion 2.3 CNN Model Algorithm detection model had four layers, data input layer, neural network layer, data classification layer and classification CNN is an algorithm model inspired by receptive field result layer. The neural network layer is used for feature mechanism in biology. It is essentially a mathematical extraction of data and combined with the classification model with supervised learning module [13]. In CNN, layer to form a deep learning network. In this study, multiple convolutional layers alternate to extract features DNN learning algorithm and CNN learning algorithm of the input layer and then performed integration and were taken as network intrusion detection algorithms. transformation on the extracted features through the fully connected layer, i.e., the largest pooling layer. CNN can effectively obtain generalized features from a large amount of learning data. Convolutional layer is the core part of the whole network, and its output is called feature map; the convolution is like a linear weighting operation, and its expression [7] is: X X R(i, j) = (O ∗ H)(i, j) = O(i + c, j + d)H(c, d). c d

The expression for the generation of feature map [14] is

m m X m m m αj = f(γ ) = f( αi ∗ Hj + βj )

i∈Ni

m Figure 1: The structure of the intrusion detection model where αj is the output feature map of the j-th convo- lution kernel on the m-th layer, Nj is the set of output m feature map of the m-1-th layer, Hj is the j-th convolu- m tion kernel of the m-th layer, βj is the bias term of the 2.2 DNN Model Algorithm feature map of the corresponding convolution kernel, and ∗ is convolution operation. DNN is essentially is a multilayer perceptron containing Pooling layer, also called down sampling layer, is multiple hidden layers in forward neural network struc- mainly used for compressing feature map obtained from ture, and it includes three layers, input layer, hidden layer 0 the convolutional layer. Max pooling and even pooling and output layer. If the input feature is g = N, then the are common in practical application. activate value of nodes on the hidden layer of DNN [6] is expressed as: bm = W mgm−1 + am (1 ≤ m ≤ M + 1) 3 Simulation Experiment

m m m 1 g = f(b ) with gj = −bm (1 ≤ m ≤ M) 3.1 Data Preparation 1 + e j where N stands for the number of hidden layers of DNN, KDD99 data set was used in the experiment [10]. Each W m and am are the weight and offset vector of the m- data in the data set was 42-dimensional. The first 41 di- th hidden layer respectively, and f(·) is the non-linear mensions were feature attributes of data, and the last activation function sigmoid of nodes on the hidden layer. one was a decision attribute which indicated whether The output layer of DNN often uses softmax func- the data was abnormal. The data set included data of tion [8] to model the posterior probability distribution the known network intrusion categories and normal data, of input features, and its expression is: which could simulate real network environment. 20% of the data set were taken as training samples, and the re- M+1 M+1 ys = gs = P r(s|N) = softmaxs(b ) maining 80% were taken as test samples. International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 155

Table 1: The network parameters and activation functions of DNN algorithm

Activation functions of the Activation function of No. of model Network parameter hidden layer and input layer the output layer DNN1 122-90-40-10-5 relu softmax DNN2 122-90-40-10-5 tanh DNN3 122-90-40-10-5 sigmoid DNN4 122-250-520-250-5 relu DNN5 122-250-520-250-5 tanh DNN6 122-250-520-250-5 sigmoid

3.2 Data Preprocessing 3.5 Setting of Algorithm Among the 42 dimensions of features of data in KDD99 1) DNN Algorithm Model set, 38-dimensional features were numbers, and 3- DNN included one input layer, one output layer and dimensional features were characters which could not be three hidden layers. The network parameters were directly identified by CNN. Therefore, character features represented by the corresponding dimensions of data should be firstly converted to numerical features. The 41 in each layer. Cross entropy was used as the loss dimensions of features became 122 dimensions of numer- function in the training process. The random gra- ical features. Then the numerical features were normal- dient descent method was selected to avoid the lo- ized, and its expression [15] is: cal optimal solution. In addition to the output layer which applied softmax as the activate function, the x − N x0 = min other layers applied sigmoid, relu and tanh as ac- Nmax − Nmin tivation functions [12]. The performance test was performed using the testing set after training. The where x is the numerical value which needs to be normal- specific choices of network parameters and activation ized, N is the minimum value in some dimension, and min functions of DNN algorithm model are shown in Ta- N is the maximum value in some dimension. max ble 1. 3.3 Evaluation Standard 2) CNN Algorithm Model CNN included one input layer, one output layer, Usually the performance of intrusion detection algorithm hidden layers including three convolution layers and is represented by three data, accuracy rate BC , false alarm three down sampling layers. In the convolution layer, rate EA and missing report rate. Intrusion detection al- the data features obtained from the upper layer was gorithms with higher accuracy rate and lower false alarm processed by activation function and convolution ker- and missing report rates were better. The expressions of nel and then output to the down sampling layer, the them [11] were: next convolution layer and output layer. The param- eter of the convolution layer was expressed as x(y), C + C B = P N where x stands for the number of convolution ker- C C + C + M + M P N P N nel and y stands for the length of convolution kernel. MN EA = Except the output layer which applied softmax, the CN + MN other layers took sigmoid, relu and tanh as activation MP functions. The performance was tested using testing NA = CP + MP set after training. The specific choices of network pa- rameters and activation functions of CNN algorithm where C stands for attack data which are accurately P are shown in Table 2. classified, CN stands for normal data which are accu- rately classified, MN stands for normal data which are wrongly classified, and MP stands for attack data which are wrongly classified. 3.6 Experimental Results 3.6.1 The Performance of DNN Algorithm 3.4 Experimental Environment The recognition performance of the DNN based intrusion Algorithm model was edited using Matlab. The experi- detection algorithm under different network parameters ment was carried out on a server which was installed with and activation functions is shown in Table 3. It was Windows 7, i7 processor and 16 G memory in a labora- known from Tables 1 and 3 where the control variable tory. method was used. The activation functions of DNN1, International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 156

Table 2: The network parameters and activation function of CNN algorithm

No. of Convolution Convolution Convolution Activation function of Activation function model Layer 1 Layer 2 Layer 3 convolution layer of output layer CNN1 2(4) 4(5) 8(6) relu softmax CNN2 2(4) 4(5) 8(6) tanh CNN3 2(4) 4(5) 8(6) sigmoid CNN4 10(18) 14(22) 16(18) relu CNN5 10(18) 14(22) 16(18) tanh CNN6 10(18) 14(22) 16(18) sigmoid

Table 3: The recognition performance of DNN algorithm under different network parameters and activation functions

No. of model Accuracy BC/% False alarm rate EA/% Missing report rateNA/% DNN1 92.32 1.90 9.11 DNN2 92.38 1.61 9.12 DNN3 91.99 1.51 9.71 DNN4 92.88 0.45 9.01 DNN5 92.45 1.45 9.21 DNN6 91.89 1.66 9.74

DNN2 and DNN3 were different from the activation func- as attack data. CNN4 had the best recognition perfor- tions of DNN4, DNN5, and DNN6. The network param- mance overall though not all indexes of CNN4 were the eters were different between DNN1 and DNN4, DNN2 best. Similar to CNN, as the proportion of attack data and DNN5, and DNN3 and DNN6. The final experi- was far larger than that of normal data in the data set mental result demonstrated that DNN4 network parame- and the situation is opposite in the reality, the actual ter, 122-250-520-250-5, and activation function, relu, had missing report rate should be significantly lower than the the strongest recognition performance, 92.88% accuracy, false alarm rate rather than the false report rate was lower 0.45% false alarm rate and 9.01% missing report rate. than the missing report rate in the experimental result. The comparison of the recognition performance of differ- ent DNNs suggested that network parameter had little 3.6.3 Comparison between Different Algorithms influence on the recognition rate, but activation function had an influence on the recognition rate, and the efficacy To verify the recognition abilities of the two algorithms, of relu and tanh was better than that of sigmoid. the recognition performances of DNN4 and CNN4 which As the proportion of attack data was far larger than had the best recognition performance was compared with that of normal data in the data set and the situation is op- those of self-organizing map (SOM) algorithm and sup- posite in the reality, the actual missing report rate should port vector machine (SVM) algorithm which were men- be significantly lower than the false alarm rate rather than tioned in literature, as shown in Table 5. the false report rate was lower than the missing report rate in the experimental result.

3.6.2 The Performance of CNN Algorithm The recognition performance of the CNN based intrusion detection algorithm under different network parameters and activation functions is shown in Table 3. It was known from Tables 2 and 4 that the control variable method was used. It was found that the recognition accuracy of the CNN based intrusion detection algorithm was about 92%, nearly not affected by the number and length of convolu- tion kernel; CNN4 had the highest recognition accuracy, 92.47%; activation function had an obvious influence on the recognition performance of the algorithms; relu and Figure 2: Comparison of the recognition accuracy be- tanh had favorable effects; the over fitting of sigmoid led tween different algorithms to the failure of experiment because it determined all data International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 157

Table 4: The recognition performance of CNN algorithm under different network parameters and activation functions

No. of model Accuracy BC/% False alarm rate EA/% Missing report rate NA/% CNN1 91.99 1.56 9.52 CNN2 92.39 1.57 9.49 CNN3 80.43 100 0 CNN4 92.47 1.57 8.89 CNN5 92.14 1.58 9.31 CNN6 80.54 100 0

Table 5: The recognition performance of different algorithms

No. of model Accuracy BC/% False alarm rate EA/% Missing report rate NA/% DNN4 92.88 0.45 9.01 CNN4 92.47 1.57 8.89 SOM 90.85 1.14 10.45 SVM 86.92 1.92 13.45 DBN 93.39 0.75 7.65

In Table 5, SOM and SVM algorithms are classical al- gorithms, and DBN algorithm is a deep learning model algorithm. Figure 2 exhibits that the recognition accu- racy of the DNN4 and CNN4 algorithms was higher than those of the SOM and SVM algorithms; they are 2.05%, 5.96%, 1.62% and 5.55% higher, respectively; the recog- nition accuracy of the DBN was 0.51% and 0.92% higher than those of the DNN4 and CNN4 algorithms, respec- tively. Figure 3 shows that the false alarm rate of the DNN4 algorithm was far lower than those of the SOM, SVM and DBN algorithms; they are 0.69%, 1.47% and 0.3%, respectively; the false alarm rate of the CNN4 algorithm was 0.43% and 0.82% higher than those of SOM and DBN Figure 3: Comparison of the false alarm rate between algorithms, respectively, but 0.35% lower than that of the different algorithms SVM algorithm. Figure 4 shows that the missing report rates of the DNN4 and CNN4 algorithms (9.01% and 8.89%) were lower than those of the SOM and SVM algorithms (10.45% and 13.45%), but higher than that of the DBN algorithm (7.65%). To sum up, the DNN algorithm and CNN algorithm were better than classical algorithms, SOM and SVM, in recognizing network abnormal events in the aspects of ac- curacy, false alarm rate and missing report rate, especially in the accuracy; though the comprehensive performance of the DNN4 algorithm was slightly poorer compared with the DBN algorithm, it was superior to the DBN algorithm in the false alarm rate.

Figure 4: Comparison of the missing report rate between 4 Conclusion different algorithms DNN and CNN algorithms were used in this study as the network intrusion detection algorithms, and the recogni- International Journal of Network Security, Vol.21, No.1, PP.153-159, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).19) 158 tion performance of the algorithms under different net- nition in noisy and reverberant environments,” in work parameters and activation functions was tested on IEEE International Conference on Acoustics, Speech the MATLAB simulation platform. Finally, the algorithm and Signal Processing, pp. 4380–4384, 2015. with better performance was selected and compared with [7] T. Yoshioka, S. Karita, T. Nakatani, “Far-field SOM and SVM algorithms and DBN algorithm. speech recognition using CNN-DNN-HMM with con- When the network parameter and activation function volution in time,” in IEEE International Confer- of the DNN algorithm were 122-250-520-250-5 and relu, ence on Acoustics, Speech and Signal Processing, pp. respectively, the recognition performance was the best; 4360–4364, 2015. the accuracy, false alarm rate and missing report rate at [8] M. Behnam, H. Pourghassem, “Power complex- that time were 92.88%, 0.45% and 9.01%, respectively. ity feature-based seizure prediction using DNN Network parameter had little influence on the perfor- and firefly-BPNN optimization algorithm,” in 22nd mance, while activation function had a large influence. Iranian Conference on Biomedical Engineering When the parameter of convolution kernel and acti- (ICBME’15), pp. 10–15, 2015. vation function of the CNN algorithm was 10(18)-14(22)- [9] G. Li, S. K. S. Hari, M. Sullivan, et al., “Under- 16(18) and relu, respectively, the recognition performance standing error propagation in deep learning neural was the best; the accuracy, false alarm rate and missing network (DNN) accelerators and applications,” in In- report rate at that time were 92.47%, 1.57% and 8.89%, ternational Conference for High Performance Com- respectively. Moreover the number and length of convolu- puting, Networking, Storage and Analysis, pp. 1–12, tion kernel had little influence on the performance, while 2017. activation function had an obvious influence. The over [10] T. Yoshioka, S. Karita, T. Nakatani, “Far-field fitting of sigmoid led to the failure of the experiment. speech recognition using CNN-DNN-HMM with con- In recognizing network abnormal events, the DNN and volution in time,” in IEEE International Confer- CNN algorithms are better than the classical algorithms, ence on Acoustics, Speech and Signal Processing, pp. SOM and SVM algorithms, especially in the accuracy, the 4360–4364, 2015. false alarm rate and the failure rate; however, compared to [11] S. Rastegari, P. Hingston, C. P. Lam, “Evolving sta- the DBN algorithm, the overall recognition performance tistical rulesets for network intrusion detection,” Ap- of the DNN and CNN algorithms was poorer, but the plied Soft Computing, vol. 33(C), pp. 348–359, 2015. false alarm rate of the DNN algorithm was superior to [12] A. J. Malik, W. Shahzad, F. A. Khan, “Network in- the DBN algorithm. trusion detection using hybrid binary PSO and ran- dom forests algorithm,” Security & Communication Networks, vol. 8, no. 16, pp. 2646–2660, 2015. References [13] T. Szabo, P. Barsi, P. Szolgay, “Application of ana- logic CNN algorithms in telemedical neuroradiol- [1] J. B. Hong, C. J. Chung, D. Huang, et al., “Scalable ogy,” in IEEE International Workshop on Cellular network intrusion detection and countermeasure se- Neural Networks and Their Applications, pp. 579– lection in virtual network systems,” in International 586, 2016. Conference on Algorithms and Architectures for Par- [14] X. Ren, K. Chen, J. Sun, “A CNN based scene chi- allel Processing, pp. 582–592, 2015. nese text recognition algorithm with synthetic data [2] M. J. Kang, J. W. Kang, “Intrusion detection system engine,” CoRR, vol. abs/1604.01891, 2016. using deep neural network for in-vehicle network se- [15] N. Khamphakdee, N. Benjamas, S. Saiyod, “Improv- curity,” Plos One, vol. 11, no. 6, 2016. ing intrusion detection system based on snort rules [3] E. Hodo, X. Bellekens, A. Hamilton, et al., “Threat for network probe attacks detection with association analysis of IoT networks using artificial neural net- rules technique of data mining,” Journal of ICT Re- work intrusion detection system,” in IEEE Inter- search & Applications, vol. 8, no. 3, pp. 234–250, national Symposium on Networks, Computers and 2015. Communications, pp. 6865–6867, 2016. [4] R. Singh, H. Kumar, R. K. Singla, “An intrusion detection system using network traffic profiling and Biography online sequential extreme learning machine,” Expert Systems with Applications, vol. 42, no. 22, pp. 8609– Yunbin He is a member of Communist Party of China 8624, 2015. and the associate professor of Zhaotong University, Yun- [5] S. Choudhury, A. Bhowal, “Comparative analysis of nan, China. She is engaging in teaching and scientific machine learning algorithms along with classifiers for research of computer. She has published more than 20 network intrusion detection,” in IEEE International academic papers on journals which are at the provincial Conference on Smart Technologies and Management level or above such as Application Research of Comput- for Computing, Communication, Controls, Energy ers, Electronic Technology & Software Engineering, Com- and Materials, pp. 89–95, 2015. puter Programming Skills & Maintenance and Journal of [6] A. Schwarz, C. Huemmer, R. Maas, et al., “Spa- Zhaotong University and participated in the writing of tial diffuseness features for DNN-based speech recog- one textbook and one teaching auxiliary book. International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 160

Safety Protection of E-Commerce Logistics Information Data under the Background of Big Data

Yuan Zhao1 and Yanyan Zhang2 (Corresponding author: Yuan Zhao)

School of Business Administration, Shandong Women’s University1 No. 2399, Daxue Road, Changqing district, Jinan, 250300, China (Email: [email protected]) School of Economy, Shandong Women’s University, Ji’nan, Shandong 250300, China2 (Received May 31, 2018; revised and accepted Sept. 22, 2018)

Abstract ternet technologies, it could realize tracking and sharing of data, so its security risks could be reduced through E-commerce logistics information data during transmis- measures such as authentication protocol and data en- sion on the Internet are easy to be maliciously tampered; cryption. Zhang et al. [26] put forward a logistics infor- hence, effective measures are needed to protect them. In mation protection system based on encrypted quick re- this paper, technologies of identity authentication and sponse (QR) code. By means of sectional encryption, the digital encryption in a logistics information system were logistics information was stored in QR code, which can studied. The data encryption technology based on RSA protect personal privacy information under the premise algorithm and identity authentication technology based of reasonable logistics business. Gao et al. [5] considered on Certificate Authority (CA) certification system were that mobile authentication devices used by logistics enter- proposed. The results demonstrated that RSA algorithm prises could also affect the security of logistics information based technology had higher security and was not easier and then proposed a method to protect logistics informa- to crack between both technologies; the identity safety tion by attribute-based encryption and location-based key of transactions of both technologies could be identified exchange. This method could access the location and at- through CA certificate and digital signature. Finally, tributes of mobile devices and meet the requirements of some suggestions were put forward for ensuring the safety information protection. of logistics information. In this study, RSA-based data encryption technology Keywords: Big Data; Data Encryption; E-Commerce; In- and certificate authority (CA)-based identity authentica- formation Security; Logistic Information tion technology were used in a logistics information sys- tem to control the transmission of logistics information and the access of users to prevent information leakage, 1 Introduction and put forward some measures to protect logistics infor- mation. Network security has attracted more and more atten- tion [1, 12, 27]. In the era of big data, information se- curity has been more seriously threatened [14, 24]. E- commerce development rapidly relies on the Internet, and 2 Big Data and E-Commerce Lo- e-commerce logistics information data also explosively in- gistics Information crease with the development of e-commerce. The mas- sive data are easy to be attacked and damaged because 2.1 E-Commerce Logistics Information of network security problems when they are transmitted; under the Background of Big Data therefore, Information security is the basis for ensuring the sound development of e-commerce [8, 15]. Therefore, With the development of network and information tech- how to effectively protect these logistics information data nology, e-commerce has been gradually rising and widely has become the key to the development of e-commerce. praised. The biggest advantage of e-commerce is shorten- In a study of Huang [7], Radio Frequency Identifica- ing transaction time and improving transaction efficiency. tion (RFID) [4,11,22,23] based logistics information sys- Logistics is the last link of e-commerce, which has an im- tem analyzed was found that when combined with In- portant impact on the success or failure of transactions. International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 161

Logistics information contains a lot of valuable infor- authentication technology and data encryption technol- mation, such as customer name, address, contact infor- ogy. mation, etc.; therefore, it is an important asset of en- terprises [17]. The information exchange between E- commerce and logistics enterprises is carried out through 3 Identity Authentication Tech- the network. The establishment of a logistics system is based on the Internet, so the information on the network nology is vulnerable to attacking and leakage [21]. The problem of network security is very serious. In the era of big data, 3.1 Identity Authentication logistics information data is growing rapidly, and massive information data concentrate; therefore, it is difficult to Authentication means that the user proves the reliabil- manage and protect them effectively, which brings oppor- ity of his or her identity by some way. Authentication tunities to hackers. Logistics information is facing many means that both parties in the electronic commerce need security problems. to confirm each other’s identity before they have a con- versation, that is, key exchange. In the process of key exchange [3, 13], in order to prevent identity imperson- 2.2 Security Problems of Logistics Infor- ation and information leakage, it is necessary to make im- mation Systems portant information transmitted as a ciphertext through private key and public key. The development of network technology increases risks of information security [18]. E-commerce logistics infor- mation system relies greatly on the network. But the 3.2 CA Identity Certification problem of network security has become more and more serious because the high openness and freedom of network CA identity certification can be applied in a large-scale are mainly reflected on: network environment. The system can issue different lev- els of digital certificates for different types of users such 1) Information security. Effective information of users as institutions, servers or individuals. It has been widely can be got through illegal interception when logis- used in many fields such as electronic banking, electronic tics information is transmitted in the network. The shopping malls and bank-enterprise reconciliation. The leakage of private information of users can have a system can ensure the security of identity authentica- large impact on the credit of e-commerce enterprises tion [9, 10]. and logistics enterprises. In addition, logistics infor- Identity authentication includes certificate authentica- mation may be maliciously tampered or deleted in tion and digital signature authentication. The specific the transmission process, resulting in incomplete in- process is as follows: formation and affecting the normal transactions of users. 1) Security certificates and signatures are sent to the server of the logistics information system from the 2) Virus. Network is the best medium for virus trans- client end and then transmitted after being encrypted mission. Logistics information is easy to be attacked by the public key. by viruses when being transmitted in the network, which will not only affect the transmission of logis- 2) The logistics information system receives the client tics information, but also affect a larger area after information, uses the private key to verify the ob- further transmission. tained certificate and signature, obtains the cus- 3) Identity uncertainty. E-commerce completes transac- tomer’s public key from the certificate after confirm- tions on a virtual platform, and the identity of both ing the validity, and then completes the client au- parties is uncertain. Illegal elements may embezzle thentication through the client’s public key. Next, the legitimate information of users for transactions the logistics information system uses the private key through illegal means. to complete the signature of the system certificate, and then the certificate and signature are transmit- E-commerce logistics information is easy to be inter- ted to the client through the client public key. cepted, tampered and embezzled in the transmission pro- cess, which brings huge losses to e-commerce enterprises, 3) After receiving the information of the logistics infor- logistics enterprises and users. Therefore, it is necessary mation system, the client first decrypts the informa- to pay more attention to logistics information security and tion through the private key, confirms the validity of strengthen the security protection of logistics information the certificate and signature, and then decrypts the systems. The security protection measures of logistics in- signature through the public key of the logistics infor- formation systems include identity authentication, data mation system. The process of identity certification encryption, digital signature, certificate management and is shown in Figure 1. security maintenance. This study focuses on the identity International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 162

1) Two large integers, m and n, were selected and kept secret. 2) Calculate mode X = m × n and H(X) = (m − 1) × (n−1), where H refers to Euler function, X is public, and H(X) is private. 3) An integer p was selected (1 < p < H(X)), and p and H(X) are relatively prime; moreover, p is private. 4) Calculate the multiplicative inverse q of p, and q is private. 5) Delete m, n and H(X), and public key (p, x) and private key (q, x) are obtained. When RSA algorithm is used in data encryption, data needs to be segmented to make the length of every group of data smaller than X. Then plaintext M is encrypted as ciphertext S:

S = M p mod X.

The decryption process is M = Sq mod X. Suppose user A needs to send a fragment of informa- tion M to user B. The public and private keys of A are (p1,X1) and (q1,X1), respectively, and the public and Figure 1: The procedures of identity certification private keys of B are (p2,X2) and (q2,X2), respectively.

Encryption: Plaintext dm is input, and its length was made to be smaller than X. It is encrypted using the 4 Data Encryption Technique public key of B. Ciphertext S is obtained as follows:

p1 4.1 Data Encryption S = M mod X2.

Data encryption refers to re-encoding the logistics infor- Decryption: After B receives the ciphertext, B decrypts mation transmitted in the network in some way, hiding it using the private key of B. Plaintext M is obtained the information content in the data encoding, and stor- as follows: ing and transmitting the information in an unreadable q2 form [16]. When data is encrypted, hackers cannot obtain M = S mod X2. the real content of the information. After the information is encrypted, the receiver needs to decrypt the data using Digital Signature and Verification: Plaintext dm is decryption key. The keys are the conversion keys between input and signed using the private key of A. Then the plaintext and the ciphertext, including encryption and the output plaintext is dp: decryption keys. The process of information encryption p1 and decryption is shown in Figure 2. dp = M mod X1. The encryption and decryption process of information After B receives the signed text d , it is decrypted can be expressed by formulas. The encryption process can m using the public key of A. Finally plaintext d = be expressed as S = A(M), and decryption process can be m Sq1 mod X is obtained. expressed as M = C(S), where M stands for plaintext, S 1 stands for ciphertext, A stands for encryption algorithm, and C stands for decryption algorithm. The plaintext can 4.3 Security Verification of RSA be obtained by C(A(M)) = C(S) = M. In the actual application of RSA algorithm, m and n are usually more than 100 bits, which increases the breaking 4.2 RSA Encryption Algorithm difficulty. Suppose that a computer can make 100 million of operation in one second, then the operation time of RSA encryption algorithm is a commonly-used excellent RSA algorithm under different bits is shown in Table 1. public-key encryption algorithm [2, 19]. Its principle is It can be found from Table 1 that the longer the length prime factorization of large integer [20]. of key, the more complex RSA operation. It indicates that A key is needed before RSA encryption. The process RSA algorithm with a length of key longer than 100 bits of obtaining the key is as follows. is absolutely safe and impossible to be broken. International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 163

Figure 2: The encryption and decryption of information

Table 1: The operation time of RSA

Decimal digit 50 100 300 500 Operation times of decomposition factor 1.4 × 108 2.3 × 1013 1.5 × 1027 1.3 × 1037 Operation time of decomposition factor 2.4 min 270 days 4.9 × 1013 days 4.2 × 1023 days

The use of RSA algorithm can encrypt the logistic in- 5.2 Realizing Safety Storage of Logistics formation of e-commerce such as the name, address and Information telephone number of both transaction parties. Table 2 shows the results of some logistics information after be- E-commerce enterprises and logistics enterprises should ing encrypted by RSA public key. fully realize the importance of logistics information data for the development of enterprises in the era of big data, It can be found from Table 2 that the logistics infor- and improve the attention to logistics information man- mation data become unidentifiable character string af- agement. For massive logistics information, enterprises ter being encrypted by RSA. Decryption with the key is need to properly preserve them, so as to avoid huge losses necessary; otherwise, they look like ineffective character brought by information leakage. Distributed file system strings. Even if logistics information data is intercepted, technology can be used to realize the cloud-based secu- it cannot be decrypted without corresponding keys, which rity storage of logistics information data and backup ex- ensures the security of logistics information data in the tremely important core data. In addition, enterprises can process of transmission. set access permission to avoid malicious steal of informa- tion and ensure security of logistics information.

5.3 Improving the Protection Technology 5 Security Protection Measures of Logistics Network Of Logistics Information Data The development of the Internet has improved the effi- ciency of logistics and also brought challenges to informa- tion security [25]. The safety of logistics network cannot 5.1 Strengthening the Establishment of be ignored. In order to avoid external attacks on the logis- Logistics Information Systems tics network, it is necessary to take certain technical mea- sures to establish protection measures and hide the inter- nal network channels. The core network can be isolated by Relevant government departments need to strengthen the physical isolation technology and firewall isolation tech- guidance for the scientific construction of logistics infor- nology. Enterprise technicians need to strengthen the re- mation systems, help enterprises to establish a sense of search on logistics network protection technology to en- logistics information protection, establish a safe and ef- sure that the internal information of the enterprise will fective logistics information system, actively promote the not be leaked. exchange and circulation of advanced logistics informa- tion protection technology, improve and strictly protect the relevant laws and regulations of logistics information, 6 Conclusion and strengthen access control and transmission control of logistics information systems [6]. Research and promo- With the development of Internet technology, network se- tion efforts on the core technology of logistics information curity becomes more and more serious. E-commerce lo- systems, such as identity authentication and data encryp- gistics information is easily attacked by criminals because tion, need to be strengthened to avoid information leakage it can be disseminated through the Internet. In this pa- to achieve logistics information security management. per, data encryption technology and identity authentica- International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 164

Table 2: RSA encryption result

Plaintext Ciphertext r102yc/tKB+kE5RCpZbCSqmUdpFZj4Oq3Ct4sVCZnCofbPlJ/+vit/fZe6AkiqI3vZbLs7zha Zhao Xiaolan qzUioa0TsPkML7A9wnpZlS9LcqM6it7Igy+KQPC0BhpTG89eFhoS7ZVII6ITxL8Igoopzvx2 S/tnTqgN+8QaT6iKRqMoL7LyoY= QdjyxP1L/D7B3L3q8PhabLrjg9yxY/vCoVh+und+PipCOXjI5/5Znxom0Hr3bAiIyevdzFP 250000 HFVkfEK9c8tqKuB7ThKQ67HIVXyXjA6WsvBnn+RM6yBqPXRe/9pjgZt2kND0hm4NAZ V4pitCk7sImsAw0os4X9S+axQuYvJ4uG0s= eU+++6415N6+40YSY1Jq5JqTRdLgg5wCrP2DV53asz73Jt9aNVfLYcbpTDaDLbrfeO8Oz Shandong Women’s 2oV5NsBr+frI9GXw1Stk5T7Pq+MV4dIdZlh4KB+m79iwAJnbXerINVBH8dipe6pW3xTiV University in Jinan B4kB0/ctBQBXgixmhcIYXG5waERzKzZcE= Ldc0kZZ1t7MAclJ1xZBjWddNsDZouiW60hhNzTknGVzwTqT15eNA5c7+2Bcq/cKdbamk Shandong province isarQns7u3+bkBJTSmOyx95ZreRN5m8GYgGc4Z7K+RG2vJoP1FegGW5XuHh9Ne1/a+ LLEmCBtYeiVDTSiu3YHnVCnWR1pO4rXCstSaY=

tion technology in logistics information system were stud- [7] K. Huang, “IIPM as a solution to the security prob- ied. RSA algorithm was proposed and CA authentication lems of RFID-based logistics information system,” system was used for identity authentication. These two in International Conference of Logistics Engineering technologies can effectively improve the security of logis- and Management, pp. 2367–2371, 2010. tics information. The advantages of e-commerce industry [8] M. S. Hwang, C. T. Li, J. J. Shen, Y. P. Chu, “Chal- need reliable and efficient logistics to guarantee security; lenges in e-government and security of information”, therefore, only when the safety of logistics information Information & Security: An International Journal, data is ensured, e-commerce can develop safely. vol. 15, no. 1, pp. 9–20, 2004. [9] M. S. Hwang, L. H. Li, “A new remote user authen- tication scheme using smart cards”, IEEE Transac- References tions on Consumer Electronics, vol. 46, no. 1, pp. 28–30, Feb. 2000. [1] A. A. Al-khatib, W. A. Hammood, “Mobile malware [10] M. S. Hwang, J. W. Lo, S. C. Lin, “An efficient user and defending systems: Comparison study,” Inter- identification scheme based on ID-based cryptosys- national Journal of Electronics and Information En- tem”, Computer Standards & Interfaces, vol. 26, no. gineering, vol. 6, no. 2, pp. 116–123, 2017. 6, pp. 565–569, 2004. [2] C. C. Chang, M. S. Hwang, “Parallel computation of [11] M. S. Hwang, C. H. Wei, C. Y. Lee, “Privacy and se- the generating keys for RSA cryptosystems”, Elec- curity requirements for RFID applications”, Journal tronics Letters, vo1. 32, no. 15, pp. 1365–1366, 1996. of Computers, vol. 20, no. 3, pp. 55–60, Oct. 2009. [12] S. Islam, H. Ali, A. Habib, N. Nobi, M. Alam, and D. [3] T. Y. Chang, W. P. Yang, M. S. Hwang, “Simple au- Hossain, “Threat minimization by design and deploy- thenticated key agreement and protected password ment of secured networking model,” International change protocol”, Computers & Mathematics with Journal of Electronics and Information Engineering, Applications, vol. 49, pp. 703–714, 2005. vol. 8, no. 2, pp. 135–144, 2018. [4] Y. C. Chen, W. L. Wang, M. S. Hwang, “RFID au- [13] I. C. Lin, M. S. Hwang, C. C. Chang, “A new thentication protocol for anti-counterfeiting and pri- key assignment scheme for enforcing complicated ac- vacy protection”, in The 9th International Confer- cess control policies in hierarchy”, Future Generation ence on Advanced Communication Technology, pp. Computer Systems, vol. 19, no. 4, pp. 457–462, May 255–259, 2007. 2003. [5] Q. Gao, J. Zhang, J. Ma, et al., “LIP-PA: A lo- [14] L. Liu, Z. Cao, C. Mao, “A note on one outsourc- gistics information privacy protection scheme with ing scheme for big data access control in cloud,” In- position and attribute-based access control on mo- ternational Journal of Electronics and Information bile devices,” Wireless Communications and Mobile Engineering, vol. 9, no. 1, pp. 29–35, 2018. Computing, vol. 2018, Article ID 9436120, 14 pages, [15] G. Lv, M. Gao, X. Ji, “Research on information se- 2018. (https://doi.org/10.1155/2018/9436120) curity of electronic commerce logistics system,” in [6] D. Geng, X. Li, H. Liu, “Research on the network International Conference on Intelligent Computing, security of a E-commerce system based on logistics pp. 600–611, 2016. information platform,” in IEEE International Con- [16] R. Sailaja, C. Rupa, A. S. N. Chakravarthy, “Inten- ference on Computer and Communication Technolo- sifying the security of information by the fusion of gies in Agriculture Engineering, pp. 24–27, 2010. random substitution technique and enhanced DES,” International Journal of Network Security, Vol.21, No.1, PP.160-165, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).20) 165

in Smart Computing and Informatics, pp. 487-496, [25] J. Zhang, L. Ye, “The Internet of Things and Per- 2017. sonal Privacy Protection,” in International Confer- [17] A. Shameli-Sendi, R. Aghababaei-Barzegar, M. ence of Logistics Engineering and Management, pp. Cheriet, “Taxonomy of information security risk as- 2892–2898, 2010. sessment (ISRA),” Computers & Security, vol. 57(C), [26] X. Zhang, H. Li, Y. Yang, et al., “LIPPS: pp. 14–30, 2016. Logistics information privacy protection system [18] Z. A. Soomro, M. H. Shah, J. Ahmed, “Information based on encrypted QR code,” in IEEE Trust- security management needs more holistic approach: com/BigDataSE/ISPA, pp. 996–1000, 2016. A literature review,” International Journal of Infor- [27] S. Zhong, Z. Deng, “Model design of information se- mation Management, vol. 36, no. 2, pp. 215–225, curity monitoring system of nanchang bonded logis- 2016. tics park,” in IEEE International Symposium on In- [19] S. F. Tzeng, M. S. Hwang, “Digital signature with formation Science & Engineering, pp. 489–493, 2010. message recovery and its variants based on elliptic curve discrete logarithm problem”, Computer Stan- dards & Interfaces, vol. 26, no. 2, pp. 61–71, Mar. Biography 2004. [20] F. T. Wang, T. W. Lin, H. F. Tsai, et al., “Apply- Zhao Yuan, born in January 17, 1986, is a graduate stu- ing RSA signature scheme to enhance information dent and a professional teacher at Shangdong Women’s security for RFID based power meter system,” in In- University. Her research direction is electronic commerce ternational Conference on Information Engineering, and international logistics. Since December 2015, she has pp. 549–556, 2014. worked at Shangdong Women’s University. In 2016, she [21] L. Wang, T. Su, “A personal information protection chaired a youth project at the school level. A paper was mechanism based on ciphertext centralized control in published in 2016 and was searched by ISSHP. Three pa- logistics informatization,” in LISS 2013, pp. 1207– pers were published in 2017. 1212, 2015. Zhang Yanyan, born in December 21, 1986, is a grad- [22] C. H. Wei, M. S. Hwang, A. Y. H. Chin, “A mutual uate student and a professional teacher at Shangdong authentication protocol for RFID”, IEEE IT Profes- women’s university. The research direction is economy sional, vol. 13, no. 2, pp. 20–24, Mar. 2011. and finance. From August 2013 to November 2014, she [23] C. H. Wei, M. S. Hwang, A. Y. H. Chin, “A secure worked in Jinan Branch of China Post Savings Bank. privacy and authentication protocol for passive RFID Since December 2014, she has worked in Shangdong tags,” International Journal of Mobile Communica- women’s university. In 2015, she chaired a youth project tions, vol. 15, no. 3, pp. 266–277, 2017. at the school level. In 2017, she presided over a project [24] L, Xu, C. Jiang, J. Wang, et al., “Information se- of Shandong Youth Quality Education Base, in 2018 she curity in big data: privacy and data mining,” IEEE presided over a project of Shandong Youth Education Sci- Access, vol. 2, no. 2, pp. 1149–1176, 2017. ence Planning, and published 8 academic papers from 2015 to 2018. International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 166

A Context Establishment Framework for Cloud Computing Information Security Risk Management Based on the STOPE View

Bader Saeed Alghamdi, Mohamed Elnamaky, Mohammed Amer Arafah, Maazen Alsabaan, Saad Haj Bakry (Corresponding author: Mohamed Elnamaky)

College of Computer and Information Sciences, King Saud University Riyadh, Saudi Arabia (Email: [email protected]) (Received Nov. 15, 2017; revised and accepted Apr. 21, 2018)

Abstract sources with self-service provisioning and administration on-demand” [20]. A basic need for cloud computing services is to provide The two definitions reflect the fact that cloud comput- them with sound ”Information Security Risk Management ing drives toward making computing a public service for (ISRM)” solutions. The initial essential step toward pro- individuals and for organizations, removing the burden viding such solutions is to identify a context that deter- of running their computing facilities from their private mines all security issues. This paper introduces a man- facilities to somewhere else expressed as ”the cloud”. agement framework that targets modularity and compre- Considering risk management issues, it has been hensiveness. The framework is based on the structured viewed that information security risk management is the wide-scope view of Strategy, Technology, Organization, process in which identification and analysis of risks are People and Environment (STOPE); and on recent publi- integrated. This process also combines the assessment of cations related to ISRM by standards, published research risk impact and decision to eliminate or reduce the risk. work. The outcome of the work would provide a useful ISRM requires an identification and evaluation of the or- context establishment management tool for the future de- ganization’s assets, impact and likelihood of security inci- velopment of ISRM for cloud computing. dents, and finally a cost analysis of the investment in se- Keywords: Cloud Computing; Information Security; Risk curity protection. Risk assessment and risk treatment are Management; Structured Views the two main phases typically enclosed in the ISRM pro- cess. Risk assessment phase aims to determine whether existing protection is sufficient to protect information as- 1 Introduction sets by providing information about threats and system vulnerabilities. Risk treatment phase targets the selection Cloud computing is basically a shared computing system and implementation of security measures to reduce the among various users. Two reputable organizations, the risk through different approaches namely; risk avoidance, International Telecommunication Union (ITU) and the risk mitigation, risk transfer and risk acceptance [22, 31]. National Institute of Standards and Technology (NIST), It has been emphasized by ISO and NIST that a have provided the following common definition for cloud systematic approach is necessary to create an effec- computing: ”Cloud computing is a model for enabling tive information security management for computing sys- ubiquitous, convenient on-demand network access to a tems. For this purpose, both organizations have pro- shared pool of configurable computing resources (networks, vided recommended specific frameworks and application servers, storage, applications & services) that can be approaches [22, 32]. Recognizing the special security re- rapidly provisioned and released with minimal manage- quirements of cloud computing, ISO and NIST provided ment efforts or service-provider interaction” [1, 24, 28]. special recommendations for cloud security [19, 30]. In Another reputable international organization, the In- addition, various researchers in the field have produced ternational Standards Organization (ISO), also provided useful ISRM tools for computing systems and for cloud its own definition of cloud computing as follows: ”Cloud computing [3, 12, 18, 27, 38, 40, 43]. computing is a paradigm for enabling network access to a Information security in cloud computing is not a prob- scalable & elastic pool of sharable physical or virtual re- lem that could be resolved by technology alone. Security International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 167 risks are present in organization’s information systems ITU [24] jointly list five main characteristics, ISO [20] due to technical failures, system vulnerabilities, human adds an extra one making them six. These six charac- failures, fraud or external events. Integration among IT, teristics are summarized in Table 1. The three reputable organization and human factors is needed to gain suffi- standards organizations have considered the cloud com- cient knowledge of an effective ISRM, which can be de- puting architecture to provide three main types of ser- signed to protect the confidentiality, integrity, and avail- vice: (1) Infrastructure as a Service (IaaS); (2) Platform ability of information assets. [12]. as a Service (PaaS); (3) Software as a Service (SaaS). This paper develops a management framework for These types of service are illustrated by Figure 1 against cloud computing ISRM context establishment that enjoys the layered architecture of cloud computing provided by comprehensiveness in accommodating the various issues ITU [25]. concerned, and modularity in the flexible organization of these issues. The framework is based on Bakry’s struc- Table 1: A Summary of the main characteristics delivered tured view of ”Strategy, Technology, Organization, Peo- by the cloud computing architecture ple and Environment: STOPE” on the one hand [36, 39]; and on recent publications related to ISRM by organiza- Providing Computing resources for ”on-demand tions concerned with standards and by various researchers self-service” by customers. working in the field on the other. The paper makes the Enabling Customers to access the resources following contributions. through ”broadband network access”. • It describes the basic issues of the problem includ- Servicing Multi-customers through ”resource ing: (1) the cloud computing architecture; (2) the key pooling”. ISRM sources of information and recommendations; Delivering The service with ”rapid elasticity and and (3) the structure of the targeted comprehensive scalability” in terms of responding to and modular management framework. demands rapidly and with what ap- • It maps the key wide-scope ISRM requirements, col- pears to be unlimited resources. lected from various sources, to the structure of the Providing ”Measured service”, with transparency targeted management framework, which is based on to both the customer and the service the STOPE view. provider. Ensuring ”Multi tenancy” in terms of isolating • It delivers the targeted STOPE based management each customer computations and data framework of ISRM context establishment, empha- from others. sizing its comprehensiveness in accommodating the various issues concerned in a well-organized and flex- ible modular form. • It uses the resulting management framework as an initiation tool for the development of ISRM for cloud computing. The rest of this paper is organized as follows: Section 2 describes the basic issues in cloud computing, and in- troduces the comprehensive and structured STOPE view. Section 3 presents the proposed ISRM framework. And finally, in Section 4 discusses the implications of the work and highlights future research.

2 Basic Issues and the Structuring View

This section identifies the cloud computing architecture and the recent key ISRM recommendations. It also de- Figure 1: The ITU layered architecture of Cloud Com- scribes the structured STOPE view used for providing puting Reference the targeted cloud computing ISRM context establish- ment management framework.

2.1 Cloud Computing Architecture 2.2 Key ISRM Sources The cloud computing architecture is developed to enjoy There are two main sources for ISRM at the traditional various needed characteristics. While NIST [28] and the computing systems level and at the cloud computing level. International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 168

These two sources are as follows. Table 3: Examples of IT related systems, where the • Documents on the subject issued by international STOPE framework is used for their structured descrip- and national organizations concerned with standards. tion

• Research papers published in refereed journals and conferences.

Key ISRM references associated with the two sources have been taken into account. Table 2 lists the main topics addressed by the various sources considered; and alongside each topic, the table shows the corresponding publication sources, and their related references. The ele- ments of the ISRM requirements for cloud computing, ad- dressed by these sources, will be mapped on the proposed context establishment management framework structure described in the following sections.

Table 2: Key ISRM sources of requirements related to cloud computing

those of Table 3, are accommodated into its various wide- scope domains. The second is modularity, where these issues are well classified and structured per well-defined domains. These two benefits ease the management of the issues through accommodating them within a well- structured wide-scope framework on the one hand, and through grouping the related issues, and enabling flexi- bility in their detailed analysis. Considering the experience in the STOPE view, the view would be an appropriate choice for addressing and managing ISRM context requirements for cloud comput- ing. The STOPE view is illustrated in Figure 2 consider- ing the main component of a security problem.

2.3 The STOPE View Bakry’s five-domain structured view of ”Strategy, Technology, Organization, People and Environment (STOPE)” has been widely used for developing compre- hensive and modular views of various aspects of informa- Figure 2: The STOPE framework & the security problem tion technology services systems, including security and various other aspects [9, 10, 33]. Examples of these sys- tems are given in Table 3. The framework would support the management of the Based on experience, using the STOPE view has been various issues of the security problem in cloud computing. useful in providing two main benefits to its users. The The various ”assets”, accidental and malicious ”security first is comprehensiveness, where the different existing threats”; and the physical, administrative and technical and potential issues, concerned with problems related to ”protection controls” can be associated with the different International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 169

TOPE domains. The framework ”strategy” deals with comprehensive and well-organized context establishment these issues toward providing confidentiality, integrity and would provide great support to risk management. The availability effectively and efficiently. The STOPE view targeted framework concerned with this is described in will therefore be used in the next section for building the following per the main domains of the STOPE view. the targeted management framework of cloud computing ISRM context establishment. 3.1 Strategy The strategy is addressed here in terms of its security 3 The Framework concerns, which include the following:

The targeted cloud computing ISRM context establish- • The ”basic principles” of the strategy, which involve ment management framework, based on the comprehen- its main targets. sive and modular STOPE view, is presented in this sec- tion. Figure 3 gives an illustrative view of the structure of • The various ”assets” of cloud computing. the framework within ISO 27005 information security risk • The expected ”threats”, which result from ”mali- management process [22], which is based on ISO 31000 cious actions (M); accidental events (A); vulnerabil- risk management principles and guidelines [23]. ities (V); or environmental causes (E)”.

• The available ”protection controls” that can be used to reduce the consequences of the threats.

• The ”performance measures”, which are associated with ”the confidentiality of information (C); the in- tegrity of information (I); and the availability of the services (A)”. In addition, the overall safety of the cloud and its associated elements (S), and the rep- utation of the organization concerned (R) are also important measures.

Table 4 elaborates on these concerns and gives previous literature associated with them. Table 5 through Table 7 provides a structured view of the components of cloud computing assets, threats and protection controls per the TOPE domains.

3.2 Technology Figure 3: Structured STOPE-based Framework The components of the ”technology assets” associated with the cloud computing layered architecture are de- scribed in Table 8. They can be classified into four types: The Figure has the following main components. • Hardware basic components. • The first component gives the basic structure of the targeted context establishment STOPE-based man- • The infrastructure virtualization components that agement framework which is described in the coming enable multi-users to share the cloud ”IaaS”. subsection of this main section. • The system software and the essential platform ser- • The second component is concerned with the risk vices components that enable the provisioning of analysis activity of the risk management process [8, ”PaaS” to various users. 37], which considers the likelihood and impact of the • The application software and the essential software various risks and determines the risk levels. services components that enable the provisioning of • The third is associated with the risk evaluation ac- ”SaaS” to various users. tivity that considers risk evaluation criteria. The main ”threats” associated with technology are • The fourth is related to risk treatment and risk ac- summarized in Table 9. They consider the ”failure” of ceptance that consider all the above. the various components of cloud computing technology re- sulting from different malicious actions, accidental events, The consecutive activities of Figure 3, from the second vulnerabilities, and environmental reasons (MAVE). Such to the fourth, receive and request information from the failures threaten ”service availability (A)” leading to ”de- first, which is the context establishment. Therefore, a nial of service”. They also threaten the ”reputation (R)” International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 170

Table 4: Strategy concerns

Table 7: Protection controls

Table 8: Technology Assets (AT)

Table 5: Assets

Table 6: Threats International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 171 of the cloud computing provider, and generally the ser- of the people”, the basic components include: the people viced customer too. In addition, threats associated with themselves; and their individual information as described technology ”destruction attacks” that may lead to various in Table 12. malfunctions that threaten the confidentiality (C) and the integrity (I) of information are also considered. Table 11: Organization Assets (AO)

Table 9: Threats related to Technology (TT)

The ”protection controls” concerned with the technol- ogy involve providing ”back up” to the various technol- ogy layers of the cloud. Therefore, the service ”availabil- ity” and organization ”reputation” can be maintained, and ”business continuity” achieved. In addition, ”immu- nity tools” are considered to protect the cloud technology Table 12: People Assets (AP) from destruction attack, and achieve confidentiality and integrity. These protection controls are summarized in Table 10.

Table 10: Protection controls concerned with Technology (PT) - The below ensures ”business continuity”

The threats associated with the organization and with the people include unauthorized ”access” to the cloud ser- 3.3 Organization & People vices and information, which threatens the ”confidential- ity (C)” of information and the ”reputation (R)” of the or- The basic components of the ”assets of the organization” ganization. These threats also include unauthorized ”ac- include its business processes, information, and reputa- tion” to the cloud services and information, which threat- tion. These are described in Table 11. For the ”assets ens the ”integrity (I)” of information and the ”safety (S)” International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 172 and ”reputation (R)” of the organization as a whole. Both types of threats may be caused by ”malicious actions (M)” and ”vulnerabilities (V)”. Further details are given in Ta- ble 13. The ”protection controls” concerned with the ”organi- Table 14: Protection concerned with Organization & Peo- zation and people” have three main types: management ple (POP) ”regulations”; ”awareness and training”, and ”user prac- tices”. Each of these types would be related to: the ”rules” associated with it; the ”immunity” tools con- cerned; ”password” issues; use of ”email”; use of ”net- works”; use of ”data”; use of ”encryption”; and of course, ”use of the given services”. These protection controls would contribute to all performance measures (C), (I), (A), (R), and (S) described in Table 14.

Table 13: Threats related to Organization & People (TOP)

3.4 The Environment The ”assets” associated with the environment can be viewed as the ”premises” of the cloud, where the needed cloud ”utilities” enabling its operation. As shown in Ta- ble 15, the premises would include the surrounding zone, the buildings, and the essential support facilities and ser- vices. The utilities would include electricity, air condi- Table 15: Environment Assets (AE) tioning, cooling system, water supply, waste system, and other utilities. The threats associated with the environment would have three main types. The first is the ”destructive events” that may result from ”malicious (M)”, ”accidental (A)” and ”environmental (E)” events, leading to ”avail- ability (A)”, ”reputation (R)”, and ”safety (S)” problems. The second is ”natural events” that result from the ”en- vironment (E)”, leading to the same problems. The third is ”radiation disturbances” that result from the ”environ- ment (E)”, or from malicious ”action (M)”, leading also to the same problems. Table 16 provides further elabora- tions on these threats. The ”protection controls” concerned with the ”envi- ronment” have four main types: ”physical” guarding of the premises, protection from ”destructive events”, pro- tection from ”natural events”, and protection from ”ra- International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 173

4 Discussion, Conclusions & Fu- Table 16: Threats related to the Environment (TE) ture Work

This paper contributes to the initial stage of ISRM pro- cess for cloud computing, which is essential to all other stages of the ISRM process. It has developed a context establishment management framework based on the struc- ture of the STOPE view. The framework derives its cloud ISRM requirements from key recent literature, including: literature developed by specialized standards organiza- tions, and research papers published in refereed journals. The framework has two main benefits.

• It gives a comprehensive view of the targeted con- text enabling it to accommodate the various issues concerned with ISRM for cloud computing.

• It provides the comprehensive context with a well- organized modular construction that enables its flex- ible use and management by the subsequent stages of the ISRM process. diation disturbances”. These controls would contribute to all performance measures: ”(C), (I), (A), (R), and The framework is of generic nature; and it is open to (S)”. Protection from destructive, natural, and radia- different practical cloud computing context establishment tion disturbances events include the protection of: peo- cases for ISRM. It should be noted here that while full ple, premises and utilities, in addition to all components comprehensiveness for various cases is a remote target, associated with the cloud operation. These protection due to the continuous development of information tech- controls are given in Table 17. nology and cloud computing, the framework remains a useful dynamic tool to start ISRM process and accommo- dates its basic requirements, with openness to continued extensions that meet the developing requirements. This Table 17: Protection concerned with Environment (PE) dynamism of application is supported by the clear mod- ularity of the STOPE view of the framework. Future work based on the framework may be associated with the following three main extensions.

• The first would be concerned with implementing the framework on the computer. This will ease estab- lishing a structured ISRM context for various cloud case-studies; and will also enable tailoring the con- text to their requirements.

• The second would consider developing the above soft- ware further, following the subsequent stages of cloud ISRM process. These stages usually include: assess- ing the risks of the threats on the assets; considering suitable protection controls and assessing their effec- tiveness and efficiency; and choosing suitable controls per certain acceptable criteria. In this respect comes the idea of viewing the controls as preventive, detec- tive or corrective, and considering them with specific priorities per their performance.

• The third would be concerned with using the out- come of the above two extensions to investigate ISRM for various clouds. This would enable building expe- rience, and support updating and upgrading all the above. International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 174

It is hoped that both researchers and professionals in Journal of Network Management, vol. 15, no. 5, pp. the field would make use of the framework, develop it fur- 363–370, 2005. ther according to their practical requirements, and benefit [12] R. Bojanc, B. Jerman-Blaˇziˇc, “A quantitative model from its features for better and more secure clouds in the for information-security risk management,” Engi- future. neering Management Journal, vol. 25, no. 2, pp. 25– 37, 2013. [13] Y. Chen, V. Paxson, R. H. Katz, What’s New About Acknowledgement Cloud Computing Security, University of California, Berkeley Report No. UCB/EECS-2010-5 Jan. 20, The authors thank the Deanship of Scientific Research 2010. and RSSU at King Saud University for their technical [14] T. S. Chou, “Security threats on cloud computing support. vulnerabilities,” International Journal of Computer Science & Information Technology, vol. 5, no. 3, p. 79, 2013. References [15] CSA, Security Guidance for Critical Areas of Focus in Cloud Computing v3.0, Cloud Security Alliance, [1] M. Ahmed, A. T. Litchfield, S. Ahmed, “A gen- 2011. (http://www.cloudsecurityalliance.org/ eralized threat taxonomy for cloud computing,” in guidance/csaguide.v3.0.pdf) 25th Australasian Conference on Information Sys- [16] CSA, Cloud Controls Matrix, Cloud Security Al- tems, Auckland, New Zealand, 2014. liance, 2016. (https://cloudsecurityalliance. [2] A. A. AlHogail, A Framework for the Analysis and org/group/cloud-controls-matrix/) Implementation of an Effective Information Security [17] CSA, The Treacherous 12, Cloud Computing Top Culture Based on Key Human Factor Elements and Threats in 2016, Cloud Security Alliance, 2016. Change Management Principles, King Saud Univer- (https://cloudsecurityalliance.org/group/ sity, MSc dissertation, 2016. top-threats/) [3] M. Alnuem, H. Alrumaih, H. Al-Alshaikh, “A com- [18] K. Djemame, D. Armstrong, J. Guitart, and M. Ma- parison study of information security risk man- cias, “A risk assessment framework for cloud comput- agement frameworks in cloud computing,” in The ing,” IEEE Transactions on Cloud Computing, vol. Sixth International Conference on Cloud Computing, 1, p. 1-1, 2016. GRIDs, and Virtualization, pp. 103–109, 2015. [19] ISO, International Standards Organization: [4] M. Almorsy, J. Grundy, A. S. Ibrahim, ISO/IEC 27017:2015, Information Technol- “Collaboration-based cloud computing security ogy: Security Techniques - Code of Prac- management framework,” in IEEE International tice for Information Security Controls Based Conference on Cloud Computing (CLOUD’11), pp. on ISO/IEC 27002 for Cloud Services, 2015. 364-371, 2011. (https://www.iso.org/standard/43757.html) [5] K. I. Al-Osaimi, A. Alheraish, and S. H. Bakry, [20] ISO, International Standards Organization: “An integrated STOPE framework for e-readiness as- ISO/IEC 17788:2014, Information Technology: sessments,” in 18th National Computer Conference, Cloud Computing - Overview and Vocabulary, 2014. Saudi Computer Journal, pp. 23–36, 2006. (https://www.iso.org/standard/60544.html) [6] K. I. Al-Osaimi, Mathematical Models for E- [21] ISO, International Standards Organization: Readiness Assessment of Organizations with In- ISO/IEC 27002:2013, Information Technol- tranets, King Saud University, Unpublished Magister ogy: Security Techniques - Code of Prac- Thesis, 2007. tice for Information Security Controls, 2013. [7] K. I. Al-Osaimi, A. Alheraish, and S. H. Bakry, (https://www.iso.org/standard/54533.html) “STOPE-based approach for e-readiness assessment [22] ISO, International Standards Organiza- case studies,” International Journal of Network Man- tion: ISO/IEC 27005:2011, Information agement, vol. 18, no. 1, pp. 65–75, 2008. Technology: Security Techniques - Infor- [8] A. A. A.Alrabiah, Risk Analysis for the Development mation Security Risk Management, 2011. of Security-Readiness Indicators for Intranets, King (https://www.iso.org/standard/56742.html) Saud University , Master thesis, 2007. [23] ISO, International Standards Organization: [9] M. A. Arafah, H. S. Al-Harbi, S. H. Bakry, “Grid ISO 31000:2009, Risk Management: Principles computing: a STOPE view,” International Journal and Guidelines, 2009. (https://www.iso.org/ of Network Management, vol. 17, no. 4, pp. 295–305, standard/43170.html) 2007. [24] ITU, International Telecommunication Union, Fo- [10] S. H. Bakry, “Development of e?government: A cus Group on Cloud Computing, Technical Re- STOPE view,” International Journal of Network port. Part 1: Introduction to the cloud ecosys- Management, vol. 14, no. 5, pp. 339–350, 2004. tem: definitions, taxonomies, use cases and high- [11] A. H. Bakry, S. H. Bakry, “Enterprise resource plan- level requirements, 2012. (https://www.itu.int/ ning: A review and a STOPE view,” International pub/T-FG-CLOUD-2012-P1/en) International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 175

[25] ITU, International Telecommunication Union, Fo- [37] M. S. Saleh, Analysis of Information Security Risks cus Group on Cloud Computing, Technical Re- and Protection Management Requirements for En- port. Part 2: Functional requirements and ref- terprise Networks, University of Bradford, Doctoral erence architecture, 2012. (https://www.itu.int/ dissertation, 2012. pub/T-FG-CLOUD-2012-P2/en) [38] P. Saripalli, and B. Walters, “Quirc: A quantita- [26] I. Kateeb, M. Almadallah, “Risk management frame- tive impact and risk assessment framework for cloud work in cloud computing security in business and or- security,” in IEEE 3rd International Conference on ganizations,” in Proceedings of the 2014 IAJC/ISAM Cloud Computing, pp. 280–288, 2010. Joint International Conference, 2014. [39] H. Susanto, F. Muhaya, M. N. Almunawar, “Refine- [27] A. U. Khan, M. Oriol, M. Kiran, M. Jiang, and K. ment of strategy and technology domains STOPE Djemame, “Security risks and their management in view on ISO 27001,” in International Conference cloud computing,” in 4th International Conference on Intelligent Computing and Control (ICOICC’10). on Cloud Computing Technology and Science, IEEE, Archieved by Cornell University Library, 2010. pp. 121–128, 2012. [40] H. Takabi, J. B. Joshi, and G. J. Ahn, “Secure- Cloud: Towards a comprehensive security frame- [28] P. Mell, and T. Grance, National Institute of Stan- work for cloud computing environments,” in 34th dards and Technology, U.S. Department of Com- Annual Computer Software and Applications Confer- merce, The NIST Definition of Cloud Computing, ence Workshops (COMPSACW’10), IEEE, pp. 393– Special Publication 800-145, 2011. 398, 2010. [29] F. Muhaya, S. H. Bakry, “An approach for the de- [41] S. Tanimoto, M. Hiramoto, M. Iwashita, H. Sato, A. velopment of national information security policies,” Kanai, “Risk management on the security problem in International Journal of Advanced Science and Tech- cloud computing,” in First ACIS/JNU International nology, vol. 21, pp. 1–10, 2010. Conference on Computers, Networks, Systems and [30] NIST 500-299, National Institute of Standards and Industrial Engineering (CNSI’11), IEEE, pp. 147– Technology, U.S. Department of Commerce, NIST 152, 2011. Cloud Computing Security Reference Architecture, [42] F. Xie, Y. Peng, W. Zhao, D. Chen, X. Wang, X. 2013. (https://csrc.nist.gov/publications/ Huo, “A risk management framework for cloud com- detail/sp/500-299/draft) puting,” in 2012 IEEE 2nd International Conference [31] NIST 800 - 30, National Institute of Stan- on Cloud Computing and Intelligence Systems, vol. dards and Technology, U.S. Department of Com- 1, pp. 476–480, 2012. merce, Information Security: Guide for Conducting [43] X. Zhang, N. Wuwong, H. Li, and X. Zhang, “Infor- Risk Assessments, 2012. (https://csrc.nist.gov/ mation security risk management framework for the publications/detail/sp/800-30/rev-1/final) cloud computing environments,” in IEEE 10th Inter- [32] NIST 800 - 37, National Institute of Stan- national Conference on Computer and Information dards and Technology, U.S. Department of Com- Technology (CIT’10), pp. 1328–1334, 2010. merce, Information Security: Guide for Apply- ing the Risk Management Framework to Fed- eral Information Systems, A Security Life Cy- Biography cle Approach, 2010. (https://csrc.nist.gov/ Bader Saeed Alghamdi received his B.Sc. degree publications/detail/sp/800-37/rev-1/final) in electrical engineering, electronics and telecommuni- [33] M. S. Saleh, A. Alrabiah, and S. H. Bakry, E- cations department, from Kind Saud University, Saudi Business Diffusion Requirements: A STOPE View Arabia in 2008. He is currently a project coordinator for for Easing the Use of ISO 17799 Information Secu- telecommunications and information security projects. rity Management Standard, Organization, 6, pp. 16, His current area of research interest includes information 2005. security risk management, risk assessment techniques, [34] M. S. Saleh, A. Alrabiah, and S. H. Bakry, “A and cloud computing deployment. STOPE model for the investigation of compliance with ISO 17799-2005,” Information Management & Mohamed Elnamaky received his B.Sc. degree from Computer Security, vol. 15, no. 4, pp. 283–294, 2007. Tanta University, School of Electrical Engineering, Egypt [35] M. S. Saleh, A. Alrabiah, and S. H. Bakry, “Using He also received the M.Sc. degree in Electronics and ISO 17799: 2005 information security management: Telecommunication Engineering from Ajou University, A STOPE view with six sigma approach,” Interna- South Korea. He joined King Saud University as re- tional Journal of Network Management, vol. 17, no. searcher in 2009. His main areas of research interest 1, pp. 85–97, 2007. are ASIC/FPGA modeling and simulation for wireless algorithms, Channel Estimation and Detection for mobile [36] M. S. Saleh, and A. Alfantookh, “A new compre- communications and MIMO network design. hensive framework for enterprise information secu- rity risk management,” Applied Computing and In- Mohammed Amer Arafah was born in Saudi Arabia formatics, vol. 9, no. 2, pp. 107–118, 2011. in 1965. He received the B.Sc. degree in Computer International Journal of Network Security, Vol.21, No.1, PP.166-176, Jan. 2019 (DOI: 10.6633/IJNS.201901 21(1).21) 176

Engineering from King Saud University, Riyadh, Saudi Saad Haj Bakry is Professor in the Department of Com- Arabia, and the M.Sc. and Ph.D. degrees in Computer puter Engineering, College of Computer and Information Engineering from University of Southern California, Sciences, King Saud University, where he has been work- Los Angeles, USA. He joined King Saud University as ing since 1980. His main areas of research include: in- assistant professor in 1997. His main areas of research formation networks, and knowledge society policies, in- interest are computer networks modeling and simulation, cluding information security policies. In addition to his wireless sensor networks, cooperative relay networks, academic work, he provided consultations to various pub- fault tolerance, and high-speed networks. lic and private sector organizations in Saudi Arabia in- cluding: King Abdulaziz City for Science and Technology; Maazen Alsabaan received the B.Sc. degree in the Commission of Information and Communication Technol- electrical engineering, from King Saud University, Saudi ogy; E-Government Program; and others. Arabia, in 2004, the M.A.Sc. and Ph.D. degrees in Electrical and Computer Engineering from University of Waterloo, Canada, in 2007 and 2013, respectively. He is currently an Assistant Professor in the Department of Computer Engineering, King Saud University, Saudi Arabia. His current research interests include informa- tion security, vehicular networks, green communications, and intelligent transportation systems. Guide for Authors International Journal of Network Security

IJNS will be committed to the timely publication of very high-quality, peer-reviewed, original papers that advance the state-of-the art and applications of network security. Topics will include, but not be limited to, the following: Biometric Security, Communications and Networks Security, Cryptography, Database Security, Electronic Commerce Security, Multimedia Security, System Security, etc.

1. Submission Procedure Authors are strongly encouraged to submit their papers electronically by using online manuscript submission at http://ijns.jalaxy.com.tw/.

2. General Articles must be written in good English. Submission of an article implies that the work described has not been published previously, that it is not under consideration for publication elsewhere. It will not be published elsewhere in the same form, in English or in any other language, without the written consent of the Publisher.

2.1 Length Limitation: All papers should be concisely written and be no longer than 30 double-spaced pages (12-point font, approximately 26 lines/page) including figures.

2.2 Title page The title page should contain the article title, author(s) names and affiliations, address, an abstract not exceeding 100 words, and a list of three to five keywords.

2.3 Corresponding author Clearly indicate who is willing to handle correspondence at all stages of refereeing and publication. Ensure that telephone and fax numbers (with country and area code) are provided in addition to the e-mail address and the complete postal address.

2.4 References References should be listed alphabetically, in the same way as follows: For a paper in a journal: M. S. Hwang, C. C. Chang, and K. F. Hwang, ``An ElGamal-like cryptosystem for enciphering large messages,'' IEEE Transactions on Knowledge and Data Engineering, vol. 14, no. 2, pp. 445--446, 2002. For a book: Dorothy E. R. Denning, Cryptography and Data Security. Massachusetts: Addison-Wesley, 1982. For a paper in a proceeding: M. S. Hwang, C. C. Lee, and Y. L. Tang, ``Two simple batch verifying multiple digital signatures,'' in The Third International Conference on Information and Communication Security (ICICS2001), pp. 13--16, Xian, China, 2001. In text, references should be indicated by [number].

Subscription Information Individual subscriptions to IJNS are available at the annual rate of US$ 200.00 or NT 7,000 (Taiwan). The rate is US$1000.00 or NT 30,000 (Taiwan) for institutional subscriptions. Price includes surface postage, packing and handling charges worldwide. Please make your payment payable to "Jalaxy Technique Co., LTD." For detailed information, please refer to http://ijns.jalaxy.com.tw or Email to [email protected].