A Novel Provable Secured Signcryption Scheme ????: A Hyper-Elliptic Curve-Based Approach

Abstract

Rivest, Shamir, & Adleman (RSA), bilinear pairing, and elliptic curve are well-known techniques/algorithms for security protocols. These techniques suffer from higher computation and communication costs due to increased sizes of parameters, public keys, and certificates. Hyper-elliptic curve has lower parameter size, public key size, and certificate size. The aim of the proposed work is to reduce the computational cost and communication cost. Furthermore, we validate the security properties of our proposed scheme by using the well-known simulation tool called automated validation of Internet security protocols and applications. Our approach ensures security properties such as resistance against replay attack, confidentiality, authenticity, unforgeability, integrity, non-repudiation, public verifiability, and forward secrecy.

1. Introduction

In the early decades of the Internet, people used particular techniques for secure communication. With its rapid development, security has gradually become more important. Security may be considered in terms of confidentiality, unforgeability, public verifiability, non-repudiation, integrity, authentication, and forward secrecy [1]. Even in the presence of research efforts in the literature, privacy and security measures are still an open challenge [2]. Two elementary cryptographic performances to address the problem of privacy and authenticity in applications were formalized: sign-then-encrypt, encrypt-then-sign, and sign-and-encrypt [3]. Unfortunately, the suggested elementary cryptographic performances require more computational effort. In 1997, Zheng addressed the limitations in elementary performance by introducing a novel technique which he called “signcryption” [3]. Signcryption requires less computational complexity, communication cost, and implementation effort. Moving ahead, Deng and Boa [4] suggested a scheme to reduce computational cost by up to 16% and communication cost by up to 85% when compared to the signature-then-encryption technique. Incongruously, their proposed scheme has more computation and communication costs compared to Zheng’s scheme [3]. Gamage et al. [5] improved the approach mentioned in [4] by using firewalls to secure the message without any close-fitting of message confidentiality and deliver clarifications for authentication. This scheme reduces the computation cost to 40% when compared to the customary approach, and its communication cost is similar to Zheng [3]. Despite this, they are incapable of providing forward secrecy. To improve signcryption, several signcryption schemes have been proposed based on the RSA problem [6,7]. Baeket et al. [8] and then Sharma et al. [9] projected an identity-based signcryption scheme with an extra security service of public verifiability. Furthermore, the new projected scheme in [10] was based on an insubstantial ECC to determine verification and forward secrecy. The scheme needs a limited environment to decrease significant computation and communication costs. Toorani et al. [11] contributed the elliptic curve-based signcryption scheme. They claimed that the proposed signcryption scheme meets a forward secrecy security requirement. Nizamuddin et al. [12] targeted direct public verifiability, while Nizamuddin et al. [13] used one more forward secrecy and public verifiability scheme; however, it essentially needs more assistance with the zero-knowledge protocol. There is work available on the identity-based signcryption schemes in the literature [14,15,16,17,18,19,20,21,22,23], but these approaches suffer from the limitations of the key escrow problem. Furthermore, cryptography schemes called certificate-less signcryption have also been contributed [24,25,26,27,28,29,30,31,32,33]. However, these schemes need a secure channel for the distribution of partial secret keys, which is still a challenge. Most recently, Elkamchouchi et al. [34] proposed a new signcryption based on elliptic curve cryptography. They claimed to provide all security services in their work. However, unfortunately, their scheme suffers from replay attack, computational cost, and communication cost. Moreover, they did not use any simulation tools for validation purposes. In this paper, we propose a provable secured signcryption scheme based on a hyper-elliptic curve which will provide all security features along with low computational and communication cost. In contrast to the standard cryptosystems such as RSA and bilinear pairing, which use 1024 bits, and elliptic curve, which consumes 160 bits, our scheme uses 80 bits for the parameter size while providing the same level of security along with low computational and communication cost. Furthermore, we validate our scheme by using a well-known simulation tool called automated validation of internet security protocols and applications (AVISPA) in Appendix A [35]. Thus, our approach is appropriate to be used in resource-constrained devices such as sensors, pagers, and smart phones.

1.1. Preliminaries

Assume that $g$ is the genus of the hyper-elliptic curve over a finite field ${\mathrm{𝒻}}_{\mathrm{𝓺}}$, where the order of this field is 𝓺. Furthermore, if $g$ = 1, then the group order of ${\mathrm{𝒻}}_{\mathrm{𝓺}}$ is $g$. ${\log }_2\mathrm{𝓺}≌2^{160}$. While if $g$ = 2, then the curve will require a field ${\mathrm{𝒻}}_{\mathrm{𝓺}}$ with |${\mathrm{𝒻}}_{\mathrm{𝓺}}$| $≌2^{80}$, which means that it needs an 80 bit key and parameter size. Suppose ${\mathrm{𝒻}}^{*}$ is the algebraic closer of a field 𝒻, where 𝒻 is a finite field of the hyper-elliptic curve. Therefore, the hyper-elliptic curve of $g$ > 1 over 𝒻 representing the solution set (𝛼,𝛽) ∈𝒻∗𝒻 is shown in the following Equation (1):

$$HEC: {\beta }^2+\mathrm{𝗁}\left(\alpha \right)\beta = \mathrm{𝘧}\left(\alpha \right) \mathrm{mod} \mathrm{𝓺}$$

(1)

where

• 𝗁(α) ∈ $\mathrm{𝒻}$[α] is a polynomial and the degree is 𝗁(α) ⩽ g
• 𝘧(α) ∈ 𝒻[α] is the monic polynomial, and the degree is 𝘧(α) ⩽ 2g + 1
• The points on the hyper-elliptic curve do not form a group unlike an elliptic curve
• The hyper-elliptic curve works on divisor $\mathcal{D}$ which is branded as the formal and finite sum of points on a hyper-elliptic curve that can be further symbolized by Mumford as:

  $$\mathcal{D}=\left(\mathrm{𝓊}\left(\alpha \right), \mathrm{𝓋}\left(\alpha \right)\right)=\left({\displaystyle \sum }_{i=0}^{\mathrm{𝓰}}{\mathrm{𝓋}}_i{\alpha }^i,{\displaystyle \sum }_{i=0}^{\mathrm{𝓰}-1}{\mathrm{𝓋}}_i{\alpha }^i\right)$$

Jacobian group $J_{ɕ}\left({\mathrm{𝓯}}_{\mathrm{𝓺}}\right)$ is made by divisor from an abelian group and defining the order of Jacobian group $\mathcal{O}( J_{ɕ}\left({\mathrm{𝓯}}_{\mathrm{𝓺}}\right))$ as:

$$\left|{\left(\sqrt{\mathrm{𝓺}}-1\right)}^{2\mathrm{𝓰}}\right|\le \mathcal{O}( J_{ɕ}\left({\mathrm{𝓯}}_{\mathrm{𝓺}}\right))\le \left|{\left(\sqrt{\mathrm{𝓺}}+1\right)}^{2\mathrm{𝓰}}\right|$$

1.2. Hyper-Elliptic Curve Discrete Logarithm (HECDLP)

Suppose there is a divisor $\mathcal{D}$ of order $\mathrm{𝓺}$ from the group of Jacobian $\left({\mathrm{𝓯}}_{\mathrm{𝓺}}\right).$ Also, there is an equation ${\mathcal{D}}_1=ℒ.\mathcal{D} where ℒ\in {\mathrm{𝓯}}_{\mathrm{𝓺}}$, therefore finding the integer $ℒ$ is called hyper-elliptic curve discrete logarithm problem.

1.3. Basic Notations

In this section, we discuss the basic notations used in our approach:

$\mathrm{HEC}\left({\mathrm{𝓯}}_{\mathrm{𝓺}}\right):$	Represents a hyper-elliptic curve over the field ${\mathrm{𝓯}}_{\mathrm{𝓺}}$
$\mathrm{𝓺}$:	Is a large prime number and the value of $\left|\mathrm{𝓺}\right|≌2^{80}$
$𝒟$:	Is the divisor of the generalized elliptic curve
𝒽1, 𝒽2, 𝒽3:	Demonstrate the hash functions
𝓒:	Epitomizes the ciphertext
m:	$\mathrm{m}:$ Epitomizes the plaintext or message
M = 𝓂.$𝒟$:	Represents the message concatenation with divisor
${\mathrm{𝒹}}_{\mathrm{s}}$:	Represents the private key of the signcrypter
${ℐ}_{\mathrm{s}}$:	Represents the public key of the signcrypter
${\mathrm{𝒹}}_u$:	Represents the private key of the unsigncrypter
${ℐ}_u$:	Represents the public key of the unsigncrypter
$\mathrm{Nr}:$	Is a fresh nonce
$\mathcal{K}$:	Represent the secret key
${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$:	Representing the subdivided secret key $\mathcal{K}$
E/D:	Represents the encryption and decryption functions
Eyk (Exk(M)):	Represents double encryption
Dyk (Dxk(𝓒)):	Represents double decryption

2. Formal Model of the Proposed Scheme

In Figure 1, we describe the proposed model of our scheme. Our approach contains four entities—data generator, signcrypter, certificate authority, server and verifier/unsigncrypter. Before starting communication the certificate authority first published the entire public parameters e.g., $𝒟$, ${\mathrm{𝒽}}_1, {\mathrm{𝒽}}_2, {\mathrm{𝒽}}_3,ℰ/\mathcal{D}, \mathrm{HEC}\left({\mathrm{𝒻}}_{\mathrm{𝓆}}\right),{\mathrm{𝒻}}_{\mathrm{𝓆}},\mathrm{𝓆}.$ The data generator verifies the public key of verifier from a certificate authority and then performs the signcryption process with a fresh nonce. After producing the signcryptext, the data generator uploads signcryptext to the server and the server just forwards it to the legitimate receiver/verifier. Later, the verifier first verifies the public key of data generator/signcrypter and then performs the unsigncryption process.

2.1. Proposed Scheme Construction

The proposed $𝒫$$𝒮$$𝒮$$𝒮$ includes key-generation phase, signcryption algorithm, and unsigncryption algorithm.

2.1.1. Key Generation

The Alice/signcrypter picks a number ${\mathrm{𝒹}}_{\mathrm{s}}$ as a private key from $\left\{1,\dots ‥‥,\mathrm{𝓆}-1\right\}$ and produces their public key ${ℐ}_{\mathrm{s}}$ = ${\mathrm{𝒹}}_{\mathrm{s}}.\mathcal{D}$. Also, the Bob or unsigncrypter picks a number ${\mathrm{𝒹}}_u$ from $\left\{1,\dots ‥‥,\mathrm{𝓆}-1\right\}$ and produces their public key ${ℐ}_u$ = ${\mathrm{𝒹}}_u.\mathcal{D}$, where $\mathcal{D}$ is the divisor on a hyper-elliptic curve.

2.1.2. Signcryption

The Algorithm 1, takes the public key of unsigncrypter, divisor, private key of signcrypter and the message (${ℐ}_u,\mathcal{D}, {\mathrm{𝒹}}_s,\mathrm{𝓂}$). After this produces the cipher text and their signature. Sends ω = (𝓒,$\mathcal{X},\mathcal{S}$) to Bob or unsigncrypter.

Algorithm 1. Algorithm (${ℐ}_u,\mathcal{D}, {\mathrm{𝒹}}_s,\mathrm{𝓂}$)

Randomly select a number γ from {1,…‥‥,q − 1}.

Select a nonce $\mathrm{Nr}$

Compute $\mathcal{Z}= \gamma .\mathcal{D} mod \mathrm{𝓆}$ where $\mathcal{D}$ is the divisor on a hyper-elliptic curve.

Divide $\mathcal{Z}$ into ${\mathrm{𝓍}}_{\mathrm{𝓏}}$, ${\mathrm{𝓎}}_{\mathrm{𝓏}}$

Compute $\mathcal{X}= {\mathrm{𝒽}}_1\left(\mathrm{𝓂}//{\mathrm{𝓍}}_{\mathrm{𝓏}}.\mathrm{Nr}\right)$

Compute $\mathcal{K}= {\mathrm{𝒽}}_2\left(\left(\gamma + \mathcal{X}. {\mathrm{𝒹}}_s\right). {ℐ}_u\right)$

Divide $\mathcal{K}$ into ${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$

Compute $ℳ=\mathrm{𝓂}.\mathcal{D}$

Compute 𝓒 = $ℰ{\mathrm{𝓎}}_{\mathcal{K}}\left( ℰ{\mathrm{𝓍}}_{\mathcal{K}}\left(ℳ,\mathrm{Nr}\right)\right)$

Compute 𝓣 = ${\mathrm{𝒽}}_3$(𝓒)

Compute 𝓢 = ${\mathsf{\gamma }}^{-1}\left( {\mathrm{𝒹}}_s\mathcal{X}-\mathcal{T}\right)mod \mathrm{𝓆}$

Send ω = (𝓒, $\mathcal{X},\mathcal{S}$) to Bob or Unsigncrypter

2.1.3. Unsigncryption

After receiving the signcrypted text ω = ($\mathcal{C}$, $\mathcal{X}, \mathcal{S}$) this algorithm takes ciphertext, signature, the private key of unsigncrypter, divisor and public key of signcrypter ($\mathcal{C}, \mathcal{X},\mathcal{S},{\mathrm{𝒹}}_u,\mathcal{D}, {ℐ}_{\mathrm{s}}$). Therefore, to check the signature authenticity and decrypt the cipher text to plaintext, the unsigncrypter performs unsigncryptions by using the Algorithm 2.

Algorithm 2. Algorithm ($\mathcal{C}, \mathcal{X},\mathcal{S},{\mathrm{𝒹}}_u,\mathcal{D}, {ℐ}_{\mathrm{s}}$)

Compute $\mathcal{T}$ = ${\mathrm{𝒽}}_3$($\mathcal{C}$)

Compute $\mathcal{Z}={\mathcal{S}}^{-1}$($𝒳$.${ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}$)

Divide $\mathcal{Z}$ into ${\mathrm{𝓍}}_{\mathrm{𝓏}}$, ${\mathrm{𝓎}}_{\mathrm{𝓏}}$

Divide $\mathcal{Z}$ into ${\mathrm{𝓍}}_{\mathrm{𝓏}}$, ${\mathrm{𝓎}}_{\mathrm{𝓏}}$

Use the double decryption method $ℳ,Nr= \mathcal{D}{\mathrm{𝓎}}_{\mathcal{K}}\left( \mathcal{D}{\mathrm{𝓍}}_{\mathcal{K}}\left(\mathcal{C}\right)\right)$

Compute ${\mathcal{X}}^{⫾}= {\mathrm{𝒽}}_1\left(\mathrm{𝓂}//{\mathrm{𝓍}}_{\mathrm{𝓏}} .Nr\right)$

Compare ${\mathcal{X}}^{⫾}=\mathcal{X}$ if equality holds then there is no change in $\mathrm{𝓂}$

Verification of signature is done through 𝒵.$\mathcal{S}$ + $\mathcal{T}.\mathcal{D}=$ $𝒳$. ${ℐ}_{\mathrm{s}}$

3. Correctness

Proof 1. 

The unsigncrypter can create the secret session key by using the following calculations.

$$\begin{array}{l}𝒦= {\mathrm{𝒹}}_u\left(\mathcal{Z}+\mathcal{X}. {ℐ}_s\right)\\ = {\mathrm{𝒹}}_u\left(\mathcal{Z}+\mathcal{X}. {ℐ}_s\right)= {\mathrm{𝒹}}_u\left(\gamma .\mathcal{D} +\mathcal{X}. {ℐ}_s\right) where \mathcal{Z}= \gamma .\mathcal{D}\\ = {\mathrm{𝒹}}_u\left(\gamma .\mathcal{D} +\mathcal{X}.{\mathrm{𝒹}}_s.\mathcal{D}\right) where {ℐ}_{\mathrm{s}}= {\mathrm{𝒹}}_{\mathrm{s}}.\mathcal{D}\\ = {\mathrm{𝒹}}_u.\mathcal{D} \left(\gamma +\mathcal{X}.{\mathrm{𝒹}}_s\right)= {ℐ}_u\left(\gamma +\mathcal{X}.{\mathrm{𝒹}}_s\right) where {ℐ}_u = {\mathrm{𝒹}}_u.\mathcal{D}\\ = {ℐ}_u\left(\gamma +\mathcal{X}.{\mathrm{𝒹}}_s\right) = 𝒦\end{array}$$

□

Proof 2. 

When any conflict occurs between signcrypter and unsigncrypter, the trusted third party/judge can easily resolve the conflict by performing the following calculation.

$$\begin{array}{l}\mathcal{Z}=\frac{\left(\mathcal{X}. {ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}\right)}{\mathcal{S}}=\frac{\left(\mathcal{X}. {ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}\right)}{\mathcal{S}}\\ =\frac{\left(\mathcal{X}. {ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}\right) }{\mathcal{S}}=\frac{\left(\mathcal{X}. {ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}\right) }{{\mathsf{\gamma }}^{-1}\left( {\mathrm{𝒹}}_{\mathrm{s}}\mathcal{X}-\mathcal{T}\right)} \mathrm{where} \mathcal{S}= {\mathsf{\gamma }}^{-1}\left( {\mathrm{𝒹}}_{\mathrm{s}}\mathcal{X}-\mathcal{T}\right)\\ =\frac{\mathsf{\gamma }.\left(\mathcal{X}. {ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}\right) }{\left({\mathrm{𝒹}}_{\mathrm{s}}\mathcal{X}-\mathcal{T}\right)}=\frac{\mathsf{\gamma }.\left(\mathcal{X}. {\mathrm{𝒹}}_{\mathrm{s}}.\mathcal{D} -\mathcal{T}.\mathcal{D}\right) }{\left({\mathrm{𝒹}}_{\mathrm{s}}\mathcal{X}-\mathcal{T}\right)} \mathrm{where} {ℐ}_{\mathrm{s}}= {\mathrm{𝒹}}_{\mathrm{s}}.\mathcal{D}\\ =\frac{\mathsf{\gamma }.\mathcal{D}.\left(\mathcal{X}. {\mathrm{𝒹}}_{\mathrm{s}}-\mathcal{T}\right) }{\left(\mathcal{X} {\mathrm{𝒹}}_{\mathrm{s}}-\mathcal{T}\right)} = \mathsf{\gamma }.\mathcal{D}=\mathcal{Z}\end{array}$$

□

4. Security Analysis

In this section, we discuss the security services of our proposed $𝒫$$𝒮$$𝒮$$𝒮$.

Table 1. Comparison in term of security requirements.

Schemes	𝓒𝓞𝓝	𝓘𝓝𝓣	𝓐𝓤𝓣	𝓤𝓝𝓕	𝓝𝓡𝓟	𝓕𝓡𝓢	𝓟𝓥	𝓡𝓐𝓡	𝓢𝓔𝓒𝓥𝓝
Hwang [10]	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓝𝓞	𝓝𝓞
Toorani [11]	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓝𝓞	𝓨𝓢	𝓨𝓢	𝓝𝓞	𝓝𝓞
Mohpathra [33]	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓝𝓞	𝓝𝓞
Elkamchouchi [34]	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓝𝓞	𝓝𝓞
Proposed	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢	𝓨𝓢

illustrates the comparisons of the proposed scheme and schemes [10,11,33,34] in terms of security services. Our proposed $𝒫$$𝒮$$𝒮$$𝒮$ ensures security services such as resistance against replay attack, confidentiality, authenticity, unforgeability, integrity, non-repudiation, public verifiability, and forward secrecy. We validate our scheme by using a well-known simulation tool called AVISPA [35]. AVISPA is an automatic simulation tool for the purpose of validation, verification, and analysis of Internet security-sensitive modules, applications, and cryptographic techniques. With the verification of AVISPA, it becomes stress-free to ensure that the developed protocol is either SAFE or UNSAFE by considering security parameters. To find the results of the designed protocol, it is essential to put them in the form of the High level protocol specification language (HLPSL) language according to its syntax and rules. Code written on the rules of HLPSL language is then converted into lower-level machine language through the intermediate format (IF). The HLPSL2IF translator performs the translation to an intermediate format (IF). According to Dolev and Yao [36,37], HLPSL2IF translator checks the execution in the wisdom of giving initial knowledge, and every agent can construct the messages he is supposed to. AVISPA tool works with four back ends known as On-the-fly Model-Checker (OFMC), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree-Automata-based Protocol Analyzer (TA4SP) to specify the results. OFMC implements a semi-decision procedure for security of protocols in a bounded number of sessions [38,39]. CL-AtSe represents the set of constraints used to discover if there are attacks on protocols [40]. SATMC [41] is the art of a propositional formula encoding and unrolling of the transition relation to put into a state-of-the-art (SAT) solver to translate back into the attack. The TA4SP [42] illustrates the under-approximation and over-approximation of sessions in protocols by approaching the intruder knowledge with the assistance of regular tree languages. Figure 2 shows the top down flow of AVISPA.

4.1. Replay Attack

Our scheme ensures that the attacker cannot perform the reply attack based on old messages. If an attacker wants to resend old messages to the unsigncrypter then it generates the tuple ω = ($\mathcal{C}$,$\mathcal{X}, \mathcal{S}$) and sends to the unsigncrypter. After receiving a tuple ω = ($\mathcal{C}$,$\mathcal{X}, \mathcal{S}$) the unsigncrypter checks the nonce Nr, if it is fresh then the unsigncrypter accepts the tuple otherwise rejects it.

4.2. Confidentiality

Our scheme completely satisfies the security requirement of confidentiality. However, before sending the message to the unsigncrypter, the signcrypter uses the secret key $𝒦$ to convert the message into ciphertext. Then, an intruder can try to get it from Equation (2). Thus, the intruder must solve Equation (3) and for it must also compute first Equation (4). It is always very challenging to generate the original ciphertext for two hyper-elliptic curve discrete algorithmic problems, so confidentiality of the scheme is maintained.

$$(\mathcal{K}= {\mathrm{𝒽}}_2\left(\left(\gamma + \mathcal{X}. {\mathrm{𝒹}}_s\right). {ℐ}_u\right)$$

(2)

$${ℐ}_{\mathrm{s}}= {\mathrm{𝒹}}_{\mathrm{s}}.\mathcal{D}$$

(3)

$$\mathcal{Z}= \gamma .\mathcal{D}$$

(4)

4.3. Integrity

Our approach calculates the hash value of the message by using the following Equation (5) before delivery. After getting a message the unsigncrypter first checks the freshness of $\mathrm{Nr}$ and then computes the hash value from the Equation (6). If freshness checking ($\mathrm{Nr}$) results in $\mathcal{X}={\mathcal{X}}^{⫾}$ then integrity of the message is maintained.

$$\mathcal{X}= {\mathrm{𝒽}}_1\left(\mathrm{𝒽}//{\mathrm{𝓍}}_{\mathrm{𝓏}} .Nr\right)$$

(5)

$${\mathcal{X}}^{⫾}= {\mathrm{𝒽}}_1\left(\mathrm{𝒽}//{\mathrm{𝓍}}_{\mathrm{𝓏}} .Nr\right)$$

(6)

4.4. Authenticity

Our scheme ensures the authenticity of signcrypter as the unsigncrypter extract ${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$ by computing $𝒦$ = ${\mathrm{𝒹}}_u\left(\mathcal{Z}+\mathcal{X}. {ℐ}_s\right)= {\mathrm{𝒹}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$. This is not possible for an intruder to challenge the authenticity of our scheme because they will need the public key of signcrypter and the private key of unsigncrypter to do that. Moreover, unsigncrypter verifies the validity of ${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}},$ after decryption of ciphertext (C) and compares computed ${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$ and decrypted ${\mathrm{𝓍}}_{\mathcal{K}}$, ${\mathrm{𝓎}}_{\mathcal{K}}$ from the cipher text.

4.5. Unforgeability

To produce a forged signature, the forger needs the random private number $\mathsf{\gamma }$ and the private key of signcrypter ${\mathrm{𝒹}}_{\mathrm{s}}$, as to whom in the following equation. Furthermore, to find out the private random number $\mathsf{\gamma }$ and the private key of a sender ${\mathrm{𝒹}}_{\mathrm{s}}$, the forger must compute Equations (3) and (4). This is not feasible for a forger to makes two time hyper-elliptic discrete algorithmic problems. Therefore, the unforgeability is maintained in our approach.

$${\mathcal{S}}^{⫾}={\mathsf{\gamma }}^{-1}\left({\mathrm{𝒹}}_s\mathcal{X}-\mathcal{T}\right)$$

(7)

4.6. Non-Repudiation

Our scheme assures the security service of non-repudiations. In proposing an approach, the sender generates a digital signature on a message like Equation (7). Hence, in this way, if the signcrypter wants to repudiate from there sent messages the trusted third party can easily identify the source by using the public key of signcrypter.

4.7. Forward Secrecy

Our designed $𝒫$$𝒮$$𝒮$$𝒮$ meets forward secrecy services of security. In our scheme, even if the private key of a signcrypter is compromised, the attacker cannot decrypt the messages because we use the session secret key for encryption and decryption. Therefore, to generate the secret key $𝒦$ from Equation (2), the attacker needs the random number $\mathsf{\gamma }$, which is private to the signcrypter. Thus, to generate $𝒦$ by using Equation (2) is infeasible and intolerable for attacker to solve the hyper-elliptic curve discrete algorithmic problem. Furthermore, we refresh the secrete key at each session. In this way, our scheme strongly satisfies the forward secrecy property.

4.8. Public Verifiability

Our designed $𝒫$$𝒮$$𝒮$$𝒮$ ensures public verifiability; to resolve the conflict, a trusted third party can verify the message is from signcrypter or not, by using the following equations.

• Compute $\mathcal{Z}={\mathcal{S}}^{-1}$(${ℐ}_{\mathrm{s}}-\mathcal{T}.\mathcal{D}$)
• Compute ${\mathcal{X}}^{⫾}= {\mathrm{𝒽}}_1\left(\mathrm{𝓂}//{\mathrm{𝓍}}_{\mathrm{𝓏}} .Nr\right)$
• Compare ${\mathcal{X}}^{⫾}=\mathcal{X}$ if equality holds, then there is no change in $\mathrm{𝓂}$
• Verification of signature is done through 𝒵.$\mathcal{S}$ + $\mathcal{T}.\mathcal{D}=$$𝒳$.${ℐ}_{\mathrm{s}}$, if satisfy then the message from signcrypter otherwise not.

We have investigated the security services of the designed scheme in terms of a signcryption program. Our designed signcryption scheme accords with the security services for the implementation of both encryption and signatures. We inspected the similarity models of the previous signcryption mechanisms; it is clear that our signcryption scheme offers effective countermeasures in security services, such as schemes [10,33,34], and has been pointed out that the scheme cannot provide resistance against replay attack and not validated through simulation tool; scheme [11] cannot satisfy the services of non-repudiation, and replay attack resistance, and is not validated through simulation tool. By comparison with the previous signcryption mechanisms, the designed method can accomplish all the security services as claimed. Table 1 shows the security requirement comparisons of the proposed scheme and existing schemes [10,11,33,34]. We use the notations $\mathcal{C}\mathcal{O}\mathcal{N}$ for confidentiality, $ℐ\mathcal{N}\mathcal{T}$ for integrity, $\mathcal{A}\mathcal{U}\mathcal{T}$ for authentication, $\mathcal{U}\mathcal{N}$ for unforgeability, $\mathcal{N}\mathcal{R}\mathcal{P}$ for non-repudiation, $ℱℛ\mathcal{S}$ for forward secrecy, $\mathcal{P}\mathcal{V}$ for public verifiability, $ℛ\mathcal{A}ℛ$ for reply attack resistance and $\mathcal{S}ℰ\mathcal{C}\mathcal{V}\mathcal{N}$ for security validation by using simulation tools. In addition, we use $\mathcal{Y}\mathcal{S}$ notation to satisfy the property and $\mathcal{N}\mathcal{O}$ not satisfied the property.

5. Computational Cost

It is important to note that the computational cost is necessary for both sender and receiver. Existing security schemes use elliptic curve point multiplication (𝓔𝓒-𝓟𝓜) which is considered to be a costly operation to measure the computational cost [43]. We use hyper-elliptic curve divisor multiplication (𝓗𝓒-𝓓𝓜) that is far cheaper than (𝓔𝓒-𝓟𝓜) in computational cost.

Table 2. Comparison of computational cost in terms of major operations.

Schemes	Signcryption	Unsigncryption	Total
Hwang [10]	2 𝓔𝓒-𝓟𝓜	3 𝓔𝓒-𝓟𝓜	5𝓔𝓒-𝓟𝓜
Toorani [11]	2 𝓔𝓒-𝓟𝓜	3 𝓔𝓒-𝓟𝓜	5 𝓔𝓒-𝓟𝓜
Mohpathra [33]	3 𝓔𝓒-𝓟𝓜	2 𝓔𝓒-𝓟𝓜	5 𝓔𝓒-𝓟𝓜
Elkamchouchi [34]	2 𝓔𝓒-𝓟𝓜	4 𝓔𝓒-𝓟𝓜	6 𝓔𝓒-𝓟𝓜
Proposed	2 𝓗𝓒-𝓓𝓜	4 𝓗𝓒-𝓓𝓜	6 𝓗𝓒-𝓓𝓜

shows the computational cost comparisons standard security schemes with the proposed scheme.

We observed from [44] the experiments were produced hrough by a PC with the following specifications:

• Intel Core i74510UCPU
• 2.0 GHz processor
• 8 GB of memory
• Windows 7 Home Basic
• Multi-precision Integer and Rational Arithmetic C Library (MIRACL)

Their results concluded that single scalar multiplication practices 0.97 ms for elliptic curve point multiplication (𝓔𝓒-𝓟𝓜). We suppose that, if using the same environment like [44], the hyper-elliptic curve divisors scalar multiplication (𝓗𝓒-𝓓𝓜) will be consumes 0.48 ms because it is the generalized form of elliptic curves and uses the half amount of key,i.e., 80 bits. The following

Table 3. Comparative computational cost in term of milli seconds (ms).

Schemes	Signcryption	Unsigncryption	Total
Hwang [10]	1.94	2.91	4.85
Toorani [11]	1.94	2.91	4.85
Mohpathra [33]	2.91	1.91	4.85
Elkamchouchi [34]	2.91	3.88	5.86
Proposed	0.96	1.92	2.88

shows the computational cost comparisons with respect to time- consuming in milliseconds:

The computational cost is calculated by using the formula $\frac{\mathrm{existing} \mathrm{scheme} - \mathrm{proposed} \mathrm{scheme}}{\mathrm{existing} \mathrm{scheme}}$ [45]. As shown in Table 3, we observed that the schemes [10,11,33] have the same computational cost which is 4.85 ms, scheme [34] is 5.86 ms and proposed scheme is 2.88 milliseconds.

6. Communication Cost

The minimum communication overhead is the essential requirement of a cryptographic technique for wireless networks. In our approach, we assume that for elliptic curve $|\mathscr{H}|≌\left|\rho \right|$ where $\rho$ is a large prime number $\ge 2^{160}$ and for hyper-elliptic curve $|\mathscr{H}|≌ \left|\mathrm{𝓆}\right|$ where 𝓺 is a large prime number $\ge 2^{80}.$

Table 4. Shows the communication cost of proposed and existing signcryption.

Schemes	Communication Cost
Hwang [10]	$\mathcal{C}+|\mathscr{H}|+2\left|\mathsf{\rho }\right|$
Toorani [11]	$\mathcal{C}+|\mathscr{H}|+2\left|\mathsf{\rho }\right|$
Mohpathra [33]	$\mathcal{C}+|\mathscr{H}|+2\left|\mathsf{\rho }\right|$
Elkamchouchi [34]	$\mathcal{C}+|\mathscr{H}|+\left|\mathsf{\rho }\right|$
Proposed	$\mathcal{C}+|\mathscr{H}|+\left|\mathrm{𝓆}\right|$

elaborates the comparisons in terms of cipher text size and additional parameters. The communication cost of schemes [10,11,33] is $\mathcal{C}+|\mathscr{H}|+2\left|\rho \right|.$ Also the communication cost of a scheme [34] is $\mathcal{C}+|\mathscr{H}|+\left|\rho \right|$ and proposed scheme is $\mathcal{C}+|\mathscr{H}|+|\mathrm{𝓆}$|.

Generalized Formulas for the Reduction of Communication Cost

Reduction formulas for the communication cost of the proposed scheme in comparison to the schemes of [10,11,33] are computed with the help of the following equation.

$$\frac{\mathcal{C}+|\mathscr{H}|+2\left|\rho \right|- \mathcal{C}+|\mathscr{H}|+\left|\mathrm{𝓆}\right|}{\mathcal{C}+|\mathscr{H}|+2\left|\rho \right|}$$

Also, the reduction formula for the communication cost of the proposed scheme as compared to a scheme [34] is followed by Equation (3).

$$\frac{\mathcal{C}+|\mathscr{H}|+\left|\rho \right|- \mathcal{C}+|\mathscr{H}|+\left|\mathrm{𝓆}\right|}{\mathcal{C}+|\mathscr{H}|+\left|\rho \right|}$$

Reduction in communication cost depends upon the selection of parameters and the quantity of data.

Table 5. Communication cost comparisons in terms of size of cipher text.

Schemes	Message Size	128 bits	256 bits	1024 bits
Hwang [10]		128 + |160| + 2|160| = 608	256 + |160| + 2|160| = 736	1024 + |160| + 2|160| = 1504
Toorani [11]		128 + |160| + 2|160| = 608	256 + |160| + 2|160| = 736	1024 + |160| + 2|160| = 1504
Mohpathra [33]		128 + |160| + 2|160| = 608	256 + |160| + 2|160| = 736	1024 + |160| + 2|160| = 1504
Elkamchouchi [34]		128 + |160| + |160| = 448	256 + |160| + |160| = 576	1024 + |160| + |160| = 1344
Proposed		128 + |80| + |80| = 288	256 + |80| + |80| = 416	1024 + |80| + |80| = 1184

shows the comparisons of communication cost of different sizes of ciphertext and parameters of elliptic curves and hyper-elliptic curve of the proposed and existing schemes [10,11,33,34]. It is clear from our analysis that our scheme uses 21.27% to 52.63% less communication cost than [10,11,33], and 11.90% to 35.71% less than the technique presented in [34].

7. Applications

In this phase, we discuss the applications of our design approach in e-payment systems during online shopping [46,47]. Online shopping system includes three main roles—customer, bank, and merchant. Figure 3 shows the deployment of our scheme in e-payment during online shopping. In this system, the customer first selects the item to buy according to his choice. After this, the merchant will send a validated payment order to his customer. Furthermore, the customer generates a signcryptext of validated payment and then sends it to the bank. After receiving the signcryptext the bank approves payment validations by checking their account details. The bank encrypts these charges through secret key, stores it in the temporary memory and sends it back to the customer with following instructions

• Confirm payment order validity
• If not valid then EXIT

For the further process of order, the customer signcrypts these details and sends to the merchant. After confirming the payment order validity, the merchant delivers the particular goods to the customer. After receiving the goods, the customer forwards this acknowledgment to the bank to deduct the charges from his account. To end the whole communication securely, the bank sends payment deduction to the sender as well as to the merchant.

8. Conclusions

This paper presents a new provable secured signcryption scheme ($𝒫$$𝒮$$𝒮$$𝒮$) based on hyper-elliptic curve. The proposed scheme, reduced in communication cost about 21.27% to 52.63% from [10,11,33], and from [34] is about 11.90% to 35.71%, and reduced in computational cost about 40.61% from [10,11,33], and about 50.85% from [34]. Furthermore, the proposed scheme ensures security properties such as resistance against replay attack confidentiality, authenticity, unforgeability, integrity, non-repudiation, public verifiability, and forward secrecy. Furthermore, we have validated the security properties of our proposed scheme by using well-known simulation tools such as AVISPA.