Hybrid Encryption Model Based on Advanced Encryption Standard and Elliptic Curve Pseudo Random

2.2.1 Overview

Cryptography based on elliptical curves (ECC) has enjoyed great interest since its introduction by Miller and Koblitz in 1987 [11, 12].

Cryptographic systems based on elliptical curves make it possible to gain efficiency in key management because of the small sizes of the keys used. In addition, the calculation algorithms linked to elliptical curves are faster, and therefore have a much higher key generation and exchange rate. Cryptographic systems based on elliptical curves are increasingly used in protocols using public key cryptography. Elliptic curves are used for encryption (ElGamal ECC), digital signatures (ECDSA), pseudo-random generators and other tasks. The Elliptical curve equation is of the form y² = x³ + ax + b, the value of a and b is fixed and x, y belongs to finite field (prime or binary field). Encryption and decryption algorithms are based on point multiplications (usually referred to with kP, where k is the scalar). The base point P on which the point multiplication (a.k.a. scalar multiplication) is done is also fixed. All operations of ECC are done in the finite field (prime or binary field). Two basic operations over the curve are defined: The Point Addition and the Point Doubling. Point addition computes a third point on the curve taking two different input points, while Point Doubling computes a third point on the curve when the two inputs are the same Point as depicted in Figure 2. Both Point Addition and Point Doubling operations are built using modular arithmetic, where operations like addition, subtraction, multiplication, etc. are required. In Figure 3, the hierarchy of scalar multiplication is presented.

2.2.2 ECC montgomery scalar multiplication

Point Multiplication is the base of the ECC. It exists differents algorithms to compute it. The Montgomery scalar multiplication, presented in Listing 1, is the most popular algorithm which is resistant against SCA (Side Channel Attacks) [13].

Listing 1: Montgomery Point multiplication

Input: k = (kn−1, kn−2…, k1, k0) ² with Kn-1=1, P (x, y) € E(F2^m)

Output: Q = k. P

1: R₀ ← 0 and R₁ ← P

2: For i=n down to 0 do

3: If ki =1 then

4: R₁ ← R₁₊ R₀ Addition step

5: R₀ ← 2R₀ Doubling step

6: Else

7: R₀ ← R_{0 +} R₁ Addition step

8: R₁ ← 2R₁ Doubling step

9: End if

10: End for

11: Return Q=R

2.2.3 López-Dahab’s montgomery scalar multiplication

Using López-Dahab’s Montgomery point multiplication, inversion, which consumes a lot of resources in terms of memory as well as execution cycles, and power consumption, is avoided and the number of multiplication operations is optimized. Algorithm 5 gives the Montgomery point multiplication. We can see that, whatever the value of ki, point addition (Madd) and point doubling (Mdouble) are computed simultaneously [14, 15].

Listing 2. López-Dahab’s Montgomery scalar multiplication [15]

Input: k = (k_n−1, k_n−2…, k1_{, k0})₂ with

Output: Q = k P k_n−1=1 P (x,y) E(F₂^m)

Set X₁ = x; Z₁ = 1; X₂ = x⁴ + b; Z₂ = x²

For i from N -2 down to 0 do

If k_i = 1 then

Madd (X₁; Z₁; X ₂; Z₂);

Mdouble (X₂; Z₂); else

Madd (X₂; Z₂; X1; Z1);

Mdouble (X₁; Z1);

End if

End for

x₃=X₁/Z₁

y₃=(x+X₁/Z₁).[(X₁+xZ₁)(X₂+xZ₂)+(x²+y)(Z₁.Z₁)].(xZ₁Z₁)^-1

Return (x₃, y₃)

The point addition Madd (X1; Z1; X2; Z2) is computed as follow:

The point doubling Mdouble (X2; Z2) is computed as follow:

2.2.4 Side channel attacks (SCA)

In computer security, a side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University [16] Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher [17] Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel attacks: see social engineering and rubber-hose cryptanalysis.

General classes of side channel attack include:

Cache attack: attacks based on attacker’s ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service.

Timing attack: attacks based on measuring how much time various computations (such as, say, comparing an attacker’s given password with the victim’s unknown one) take to perform.

Power-monitoring attack: attacks that make use of varying power consumption by the hardware during computation.

Electromagnetic attack: attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks.

Acoustic cryptanalysis: attacks that exploit sound produced during a computation (rather like power analysis).

Differential fault analysis: in which secrets are discovered by introducing faults in a computation.

Data remanence: in which sensitive data are read after supposedly having been deleted. (i.e. Cold boot attack).

Software-initiated fault attacks: Currently a rare class of side-channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss).

Optical: in which secrets and sensitive data can be read by visual recording using a high-resolution camera, or other devices that have such capabilities (see examples below).

One significant advantage of the ECC is that this method can be utilized for random number generation. Dual-EC-DRBG is recommended by the NIST as a random generator standard [18]. But it has a back door in random bit generator algorithm [19].

3.1.1 Random number generation

Random Number Generator utilizes the benefits of Discrete Logarithm Problem (DLP) to generate sequence of number. The DLP in the elliptic curve cryptography permits to obtain irreversible numbers in order of P (a point on the curve) which is hard in the calculation. Ce cryptographic algorithm takes the strengths of the ECC principle operations, addition, and multiplication. Because it is unattainable to obtain the shared primary key; it’s a DLP, sharing of point A and point G which are two points bellowing to the curve where A = [JK]. G, will not impact the security of the suggested way. The algorithm uses mainly point addition in the place of multiplication because this latter is very costly. In the final, because whole operations in the ECC are safe, the multiplication of X coordinates of points A, B, and C are employed to produce the matrix D. The value of JK is updated utilizing the Y coordinate of points to furnish randomness of the suggested algorithm that covering the back-door issue. The propound method utilized for the random generation is detailed in Listing 3.

Listing 3. The Algorithmic of Random Number Generation Step

1. Procedure: RNG (Y, G, k, Primary Key)

2. J K₁ ← Primary Key

3. for i ← 1, i ≤ k do

4. A (x, y) ← JK_i ∗ G (x, y), where ∗ indicates the point multiplication in ECC

5. B (x, y) ← A (x, y) ⊗Y (x, y), where ⊗ indicates the point addition in ECC

6. C (x, y) ← B (x, y) ⊗G (x, y)

7. D_i ← |x_A × x_B × x_C |, where x_A is the coordinate of point A, x_B is the coordinate of the point B_, x_C is the coordinate of the point C

8. J K_{i+1 ←} y_A + y_B + y_C, where y_A is the coordinate of point A, y_B is the coordinate of the point B_, y_C is the coordinate of the point C

9. end for

10. return D

11. End procedure

When analyzing the proposed algorithmic, we note that the Primary Key consists of shared primary key betwixt parts. Both G and Y bellow on the curve having big orders. The k parameter presents the number of randoms needed for the generation where its value dependant on the execution system specifications. It can be defined based on the size of the image. it is preferable to set k value founded on the size of image for small images and to fix this value for large images. J K1 takes the value of the primary key. After that, the point A (x, y), where x and y are the coordinates of the point on the elliptic curve, is performed using the point multiplication between J Ki and the point G (x, y). Then, the point B (x, y) is acquired using the point addition of A (x, y) and Y (x, y). To obtain C (x, y), a point addition of B (x, y) and G (x, y) is performed. In the end, Di is acquired using multiplication of |xA × xB × xC|and the J Ki value is updated by the simple addition of yA + yB + yC. D is the result of the algorithmic that contains generated numbers needed for the encryption. The D matrix presents the base for maskers’ generation and initial ciphers.

3.1.2 Maskers generation step

After the generation, random numbers are utilized to produce maskers’ matrices for the encryption process. Every masker is specific for its corresponding channel where it is ciphered using the AES. Maskers present the keyspace for cipher image and their entropy value tests the randomness in order to prove the effectiveness. The D array is utilized to create maskers for image encryption where the elements of Z are ciphered using AES with the primary key. In algorithmic 3, the RMR presents the masker result utilized to encrypt the red channel of the original image. After that, the RMR is employed as input for AES to obtain the green channel masker result (RMG). In the end, by applying the AES on the RMG, the blue channel masker RMB is obtained. An IV parameter is acquired using both Primary Key and β value where:

By utilizing this parameter, 3*128 bits initial cipher (IC) for every channel and a 128-bit IC_Key are created where:

These values are removed from maskers. The Listing 4 presents the technique maskers and ICs gained.

Listing 4. The Algorithmic of Masker Generation Step

1. Procedure: masker (Array D, Primary Key, k)

2. for i ← 1, i ≤ k do

3. RM_R ← AES (D, Key)

4. RM_G ← AES (RM_R, Key)

5. RMB ← AES (RM_G, Key)

6. IV= (Primary Key) mod(k)

7. IC red← RM_R (IV)

8. IC green← RM_G (IV)

9.IC blue← RM_B (IV)

10. end for

11. Return (RM, IC)

12. End procedure

4.3.1 Histogram analysis

The histogram of the picture shows the frequency of every pixel. An improved cryptographic system must produce a uniform color distributed histogram. Figure 5 shows the histogram of original and ciphered images. As you can see, histograms of ciphered images are uniform. The large dissimilarity between the two histograms from original and ciphered images denotes that images are greatly uncorrelated and no information can be detected from the cipher pictures which proves that the suggested cryptographic model is resistant versus statistical attacks.

4.3.2 Correlation coefficient analysis

The correlation is a performance that evaluates the grade of similitude between two objects. If the original and the encrypted are different, therefore, the correlation factor is well low or highly close to zero. The reduced values prove that the encryption proceedings are capable to cover all characteristics of the transmitted image. Figure 6 shows the distributions of 2000 pairs randomly selected adjacent pixels of the original and encrypted Lena 512 × 512 × 3 image, respectively in the horizontal, vertical, and diagonal direction.

The following equations are utilized for the study of the correlation between two adjacent pixels in the horizontal, vertical, and diagonal orientations for both clear and ciphered images.

Where x, y are the intensity values of the two adjacent pixels in one image. N is the number of adjacent pixels chosen to compute the correlation.

We measured the correlation factor between the clear and ciphered images in each direction and findings are exposed in Table 2.

Findings show that coefficients are very reduced in the ciphered images in all directions and near to zero. On the other hand, the proposed cryptographic method is compared with other methods existing in the literature and results prove that the propound cryptosystem has a better correlation with the smallest coefficients in all directions which prove the effectuality of the algorithm and its capability for resisting statistical attack.