A probabilistic public key encryption switching scheme for secure cloud storage

Abstract

The high demand for user-centric applications such as secure cloud storage laid the foundation for the development of user-centric security schemes with multiple security features in recent years. But, the current state-of-art techniques primarily emphasized only one type of security feature i.e., either homomorphism or non-malleability. To fill this gap and provide a common platform for both homomorphic and non-malleable cloud applications, we have introduced a new public key-based probabilistic encryption switching method. The proposed scheme generates \({\mathcal {O}}\)(m+2 log N) bits of ciphertext where \(m\in {\mathbb {N}}\) and \(m<n\), \(n\in {\mathbb {N}}\) is the plaintext size, N is the RSA composite. The superior performance of the proposed scheme has been tested in comparison to existing methods and is reported in this paper.

1 Introduction

The invention of public key cryptography has shown a new direction to several asymmetric privacy-preserving techniques such as information-hiding, private information retrieval, oblivious transfer. The main goal of any public key cryptography is to achieve secure asymmetric communication without prior communication/sharing as contrary to symmetric key cryptography.

1.1 Motivation and background

It is evident from recent cloud storage and retrieval applications [14, 18, 29, 30, 32] that there is a need to extend security capabilities to accommodate both homomorphism and non-malleability under a single umbrella. Motivated by this, many security techniques such as Encryption Switching Protocol (ESP) have been proposed to provide unique solution to cover both homomorphism and non-malleability applications. In asymmetric key cryptography, the bijective trapdoor function mappings are basically used during the encryption process. To overcome the problem of the secret-sharing over the insecure channel using symmetric encryption, the concept of asymmetric encryption was proposed using bijective trapdoor one-way function mappings. There are two notable drawbacks in such cryptosystems. First, the security of these cryptosystem completely depends on the underlying hardness assumption(s) (not on the underlying mapping function). Second, existing cryptosystems clearly failed to achieve efficient encryption switching between the homomorphic and the non-malleability properties without altering the underlying structure.

Generally, there are four major concerns in any asymmetric key constructions. (i) reasonable ciphertext expansion (i.e., the ratio of ciphertext size to plaintext size) (ii) possible operation on the ciphertexts (such as homomorphic property) (iii) possible selection of the type of plaintext and size of the plaintext space (iv) level of security (such as chosen ciphertext security). Although most of the existing number-theoretic asymmetric encryptions [10, 15, 22, 27] naturally impose a restriction on the generation of small ciphertexts (less than the plaintext) due to the existence of number-theoretic modular operations (like addition or multiplication), such schemes enjoy very useful properties such as homomorphism (partial or full) and cover many useful privacy-preserving extensions such as oblivious transfer, private information retrieval, oblivious RAM etc.

In fact, the security of most of the number-theoretic state-of-art schemes (both deterministic and probabilistic) completely depends upon the underlying intractability assumption (such as integer factorization, quadratic residuosity, phi-hiding, composite residuosity etc.) instead of the underlying bijective functions. It is a fact that most of these schemes (except lattice-based schemes up to some extent) are not one-way functions; they are just trapdoor one-way functions. It is intuitive that the security of these trapdoor one-way function schemes relies on hiding the trapdoor information but not on the one-wayness of the underlying mapping function. This motivates us to find an alternative scheme that depends on the one-wayness of the underlying mapping function.

Although these existing schemes exhibit many useful properties they continue to use relatively weak trapdoor one-way functions. This move has naturally raise the following questions on some of the security properties (such as homomorphism) and mapping types (such as bijective and injective types) adopted.

1.2 A new composite function-based encryption model

This paper proposes a new surjective and/or bijective composite function-based encryption model to answer the following question:

• “Can we have a probabilistic public key-based encryption switching scheme that can efficiently switch between homomorphism and non-malleability using the surjective and/or bijective composite functions ?”

Fig. 1

The proposed composite mapping functions

To find out an efficient answer to the above question, we have proposed the following composite trapdoor functions as shown in Fig. 1.

Surjective and Freeman et al. [13] function combinations: For all \(I\in \{0,1\}^{2}\) and for all \(X\in {\mathbb {Z}}^{+1}_{N}\), the quadratic residuosity-based surjective function is \(f: (I,X)\rightarrow Y\) where \(Y\in {\mathbb {Z}}^{+1}_{N}\). For any two \(i_{1},i_{2}\in I\), and for any \(x\in X\) there exists \(y\in Y\) such that \(f:(i_{1},X)\rightarrow y\) and \(f:(i_{2},X)\rightarrow y\). Therefore, the function f is surjective.

For all \(Y\in {\mathbb {Z}}^{+1}_{N}\), the modified quadratic residuosity-based function of Freeman et al. is \(g:Y\rightarrow Z\) where \(Z\in Q_{R}\). For all \(y\in {\mathbb {Z}}^{+1}_{N}\), \(g:y\rightarrow z\) is defined as \(g(y)=y^{2}\). The mapping g(y) looses the position (i.e., [1,\(\frac{N}{2}\)] or [\(\frac{N}{2}+1\),\(N-1\)]) of the input y in the ciphertext.

Fig. 2

The encryption switching mechanism of the proposed scheme

In this paper, we have introduced a new probabilistic public key-based encryption switching scheme (i.e., switch between homomorphism and non-malleability during enryption phase without changing the underlying structure) in which the encryption receives the message and the switchable public key (either homomorphic public key or non-malleable public key) and outputs the respective ciphertext as shown in Fig. 2. By carefully selecting the appropriate combination of public key and the proposed composite functions, the proposed model exhibits encryption switching from homomorphic property scheme to/from non-malleability property scheme. The proposed encryption switching model has the following notable features.

• Novel tricks: The proposed model involves novel crypto (i.e., the proposed composite functions) and non-crypto techniques to overcome several security drawbacks of the existing systems.

• Probabilistic encryption: The proposed model essentially involves the probabilistic encryption in which every ciphertext generated is always a result of the randomized operations of its plaintext.

• One-wayness of the encryption functions: As contrary to the existing systems, the one-wayness of the proposed model partially dependents on the underlying intractability assumption whereas the remaining dependency is on the underlying composite functions. But, every ciphertext will be uniquely decrypted to the intended plaintext.

• Semantic security: The proposed model is semantically secure if the underlying quadratic residuosity assumption is semantically secure.

• Encryption switching: Along with the semantic security, the proposed model supports encryption switching i.e., at the given instance, the model can behave either as the probabilistic homomorphic encryption or the probabilistic non-malleable encryption.

  • Homomorphic property: The probabilistic homomorphic encryption version of the proposed model supports the homomorphic multiplication operations on the ciphertexts.

  • Non-malleability property: The probabilistic non-malleable encryption version of the proposed model supports the non-malleability support on the ciphertexts.

• Efficiency: Compared with the most practical encryptions, the proposed model is almost comparable with respect to the ciphertext expansion and the running time. The encryption and key generation times of the proposed model are better than the number-theoretic encryptions such as RSA whereas the decryption time is slower than the existing encryptions. For any k bit plaintext, the proposed model generates around k+2 log N bits ciphertexts where \(k\in \{0,1\}^{*}\), N is the RSA composite.

• Security parameter independent plaintext space: The proposed model involves any n-bit binary string as a plaintext. Therefore, the plaintext space is totally independent of the security parameter (Note: plaintext size \(n\le log~N\) in case of RSA encryption where N is the RSA composite number).

1.3 Related work

To overcome the secret-sharing over the insecure channel in symmetric encryption, the concept of asymmetric encryption has been formally discussed by Diffie and Hellman [10].

The seminal work of Diffie and Hellman [10] using discrete-log-problem (DLP) has been fulfilled the thirst of sharing the secure data over the insecure channel using the trapdoor-based one-way function. Various improvements including ElGamal McCurley [12, 19] on [10] have been achieved several cryptographic milestones to make the asymmetric mode of encryption more realistic and application friendly. But this family of schemes suffer from two major drawbacks. First, the plaintext space is restricted to a specific type and size. Second, the homomorphic property of these schemes is not a suitable candidate for high security applications since there exists a variety of adversaries to attack such systems.

The first success of practical result for efficient asymmetric encryption is constructed by Rivest et al. [27] popularly known as RSA. The generalized version of RSA has been constructed by Rabin [26] using the square root modulo composite number problem. Further, comprehensive research [17, 28, 33] has been carried out on these schemes to find more practical and secure systems. This class of systems has successfully achieved ciphertext size equal to plaintext size but fundamentally suffer from malleablity attacks.

To withstand against line tapper, Goldwasser-Micali [15] systematically presented the first probabilistic bit-level security with the relaxed notion of security called “semantic security” using quadratic residuosity as the underlying primitive. But, this scheme has no support to achieve a reasonable ciphertext expansion factor and also no support for non-malleability [2] feature. Several research efforts including Park and Won [23], Vanstone [31], Benaloh [3], Naccache and Stern [20], Okamoto [21] have been carried out to reduce the communication cost in these type of encryption. Notably, Blum-Goldwasser [4] have almost achieved the efficient communication cost for all large plaintext still no support has been provided for a non-malleability feature.

One more class of probabilistic asymmetric encryption has been introduced by Paillier [22] using composite residuosity problem. The ciphertext size of this scheme is twice the size of the plaintext. Several cryptographers including Cramer and Shoup [8], Damgard-Jurik [9] have put their efforts to provide communication efficient and secure schemes. Unfortunately, these class of encryptions has also failed to provide efficient encryption switching.

To construct homomorphic and CCA secure encryptions, many cryptographers [1, 5, 6, 16, 24, 25] have constructed almost optimal results using a variety of cryptographic primitives. But, the fundamental design requires multiple structures to provide homomorphism and CCA security.

To the best of our knowledge, no existing probabilistic schemes show (at the basic construction) the reasonable expansion factor with the efficient encryption switching capabilities. In fact, many secure Cloud storage and retrieval efforts have been proposed [14, 18, 32] using existing security techniques. But, today’s cloud technologies looking towards an encryption switching scheme that supports both homomorphism and non-malleability at the scheme level with a minimum computational overhead. Though there exists some encryption switching schemes such as encryption switching scheme presented by Couteau et al. [7], there are several notable drawbacks as mentioned below.

• The encryption switching developed in [7] depends upon several security assumptions such as decisional composite residuosity, decisional Diffie-Hellman, and quadratic residuosity whereas our proposed scheme depends upon a single quadratic residuosity assumption.

• In [7], plaintext space is limited to a multiplicative group \({\mathbb {Z}}^{*}_{N}\) whereas plaintext space in our proposed scheme free from \({\mathbb {Z}}^{*}_{N}\).

• Most importantly, in [7], the encryption switching happens between two different cryptosystems whereas in our proposed scheme encryption switching happens within the same cryptosystem without altering the fundamental design.

2 Preliminaries and notations

This section describes all the necessary notations and background required for the proposed scheme.

2.1 Notations

Let \([i]\triangleq \{1,2,\ldots ,i\}\) and [i, j] is the process of selecting all the elements from i to j iteratively. Let \(N\in \{0,1\}^{k}\) be the RSA composite modulus with large distinct prime factors \(p\equiv q\equiv \) 3 (mod 4) and \(Q_{R}\) denotes the quadratic residue modulo N set with Jacobi Symbol (\(\mathcal {JS}\)) 1 and \({\overline{Q}}_{R}\) denotes the quadratic non-residue modulo N set with Jacobi symbol \(-1\). Let \({\mathbb {Z}}^{+1}_{N}\)=(\(Q_{R}\cup {\overline{Q}}_{R}\)) be a set of all the elements modulo N with Jacobi symbol 1 and \({\mathbb {Z}}^{-1}_{N}\) be a set of all the elements modulo N with Jacobi symbol \(-1\). Let \(\mathcal {LS}\) be a Lagendre Symbol. Let the plaintext be \({\mathcal {M}}\in \{0,1\}^{n}\) where \(n=\{2i: i\in {\mathbb {N}}\}\) is the plaintext size. Let the notation \(<A,B>\) denote the ciphertext set in which \(A\in {\mathbb {Z}}^{+1}_{N}\) and \(B\in \{0,1\}^{l}\) where \(l<n\). Let \(p^{QR}\) be the quadratic residuosity assumption probability and \(p^{R}\) be the single fair coin toss probability. Let r, s, t, w be the public key components.

2.2 Quadratic residuosity

For each \(y\in {\mathbb {Z}}^{*}_{N}\), if \(x^{2}\equiv y\) (mod N) (where \(x\in {\mathbb {Z}}^{+1}_{N}\)) then \(y\in Q_{R}\) otherwise \(y\in {\overline{Q}}_{R}\) or \(y\in {\mathbb {Z}}^{{-}1}_{N}\).

2.3 Quadratic residuosity predicate (\(\mathcal {PR}\))

For all \(x\in {\mathbb {Z}}^{*}_{N}\), \(\mathcal {PR}\) is a function to return a boolean value (0 or 1) to indicate whether “x” is \(Q_{R}\) if \(\mathcal {PR}_{p,q}(x)\)=1 or \({\overline{Q}}_{R}\) if \(\mathcal {PR}_{p,q}(x)\)=0.

2.4 Quadratic residuosity assumption (QRA)

Decision of the quadratic residuosity of a number modulo N is intractable in polynomial time. That is, for all probabilistic polynomial time algorithm \({\mathcal {G}}\), there exists a negligible function \({\mathcal {F}}\) such that \(\mid {\mathbb {P}}\)[\({\mathcal {G}}\)(\(x_{Q_{R}}\),N)= \(1]-{\mathbb {P}}\)[\({\mathcal {G}}\)(\(x_{{\overline{Q}}_{R}}\),N)= \(1]\mid \le \) \({\mathcal {F}}\)(k) where k is the security parameter, \(x_{Q_{R}}\) is in \(Q_{R}\), \(x_{{\overline{Q}}_{R}}\) is in \({\overline{Q}}_{R}\) and \({\mathbb {P}}\) is the probability finding function.

2.5 QRA-based trapdoor function of Freeman et al. [13] (TF)

For all random input \(x\in {\mathbb {Z}}^{*}_{N}\) and the public key components \(s\in {\overline{Q}}_{R}\) with Jacobi Symbol \(-1\) and \(t\in {\overline{Q}}_{R}\), the quadratic residuosity-based function described in [13] is

$$\begin{aligned} x^{2}\cdot s^{j}\cdot t^{h}~(\text {mod}~N) \end{aligned}$$

(1)

where \(j=0\) if the Jacobi symbol of x is 1 otherwise \(j=1\). Also, \(h=0\) if \(x\le N/2\) otherwise h=1. If the value h of the input number is stored as a “trapdoor” for all random input \(x\in {\mathbb {Z}}^{+1}_{N}\), then the modified function is

$$\begin{aligned} \mathcal {TD}(x)=\varvec{(}x^{2}\equiv ~C~(mod ~N)\varvec{)}=(C,h_{x}) \end{aligned}$$

(2)

where \(h_{x}\) is the ‘h’ value of x as discussed in Eq. (1) and the respective inverse is \(\mathcal {TD}^{{-}1}(C, j=0,h_{x})=\sqrt{C}=x\).

Probabilistic Encryption: For all given random \(x\in {\mathbb {Z}}^{+1}_{N}\) and random \(r\in {\overline{Q}}_{R}\), for all random \(\delta \in \{0,1\}\), the modified probabilistic trapdoor function of Eq. (2) is

$$\begin{aligned} \mathcal {TD}(x)=(x^{2}\cdot r^{\delta }\equiv ~C~(mod ~N))=(C,h_{x}) \end{aligned}$$

(3)

and the respective inverse function is defined as \(\mathcal {TD}^{{-}1}\)(C, j=0, \(h_{x}\)) = \(\root j,h_{x} \of {C\cdot (r)^{-\delta }}\) =x where “√” is the quadratic root finding function under modulo N, “\(\cdot \)” is the modular multiplication operator, “\(r^{-\delta }\) when \(\delta \)=1” is the modular inverse modulo N.

3 A new algebraic framework

This section describes the algebraic frameworks used in the proposed scheme.

3.1 QRA-based single bit encryption (SBE)

Let a bit \(b\in \{0,1\}\). For all random input \(x,y\in {\mathbb {Z}}^{+1}_{N}\) and random public key components \(r,s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \mathcal {PR}(s)\), \(w\in {\mathbb {Z}}_{N}^{-1}\), the single bit encryption \({\mathcal {E}}_{s}(b,N,x,y,r,s,w)\) is given as

$$\begin{aligned} \begin{aligned}&\quad \quad \quad \ \ \ \mathbf{j},h \ \ \ \mathbf{If} ~{{\varvec{b}}}=\mathbf{0} \ \ \ \ \ \mathbf{If} ~{{\varvec{b}}}=\mathbf{1} \\&{\mathcal {E}}_{s}=\left\{ \begin{array}{c l} {\left. \begin{aligned} &{}0,0\ \ x^{2}\cdot r\equiv c_{1}\ \ x^{2}\cdot r\equiv c_{1}\\ &{}0,0\ \ y^{2}\cdot w\equiv c_{2}\ \ y^{2}\cdot s\equiv c_{2} \end{aligned}\right\} }\mathbf{if }x\le \frac{N}{2}, y\le \frac{N}{2}~~~~~~~~~~~~~~~~~~~~~~~~~~\\ &{}\\ {\left. \begin{aligned} &{}0,0\ \ x^{2}\cdot r\equiv c_{1}\ \ x^{2}\cdot w\equiv c_{1}\\ &{}0,1\ \ y^{2}\cdot r\equiv c_{2}\ \ y^{2}\cdot r~\equiv c_{2} \end{aligned}\right\} }\mathbf{if }x\le \frac{N}{2}, y>\frac{N}{2}~~~~~~~~~~~~~~~~~~~~~~~~~~\\ &{}\\ {\left. \begin{aligned} &{}0,1\ \ x^{2}\cdot w\equiv c_{1}\ \ x^{2}\cdot s\equiv c_{1}\\ &{}0,0\ \ y^{2}\cdot s~\equiv c_{2}\ \ y^{2}\cdot s\equiv c_{2} \end{aligned}\right\} }\mathbf{if }x>\frac{N}{2}, y\le \frac{N}{2}~~~~~~~~~~~~~~~~~~~~~~~~~~\\ &{}\\ {\left. \begin{aligned} &{}0,1\ \ x^{2}\cdot s\equiv c_{1}\ \ x^{2}\cdot s~\equiv c_{1}\\ &{}0,1\ \ y^{2}\cdot r\equiv c_{2}\ \ y^{2}\cdot w\equiv c_{2} \end{aligned}\right\} }\mathbf{if }x>\frac{N}{2}, y>\frac{N}{2}~~~~~~~~~~~~~~~~~~~~~~~~~~ \end{array}\right. \end{aligned} \end{aligned}$$

(4)

The inputs x,\(y\in {\mathbb {Z}}^{+1}_{N}\) consist of their respective j,h values as described in Eq. (1). Therefore, there are four j,h possible combinations (listed in the first column of Eq. (4) for any \(x,y\in {\mathbb {Z}}^{+1}_{N}\) when \(j=0\). Encryption of b is done using the correct pair of equations. For instance, if \(j_{x}=0,h_{x}=0\) and \(j_{y}=0, h_{y}=1\), bit \(b=0\) is encrypted using the pair of equations defined in second row and second column of Eq. (4). Similarly, bit \(b=1\) is encrypted using second row and third column of Eq. (4).

The decryption of \({\mathcal {E}}_{s}\) to get back bit b involves the identification of the respective quadratic residuosity properties of the ciphertexts \(c_{1}\) and \(c_{2}\) as follows.

• Step-1: Find quadratic residuosity properties of the ciphertexts \(c_{1}\) and \(c_{2}\) as \(\mathcal {PR}\)(\(c_{1}\)) and \(\mathcal {PR}\)(\(c_{2}\)). Based on the quadratic residuosity properties of the ciphertexts, output b and (j,h) combinations of x, y.

• Step-2: Multiply respective public key inverses to the ciphertexts to get back \(x^{2}\), \(y^{2}\). Then, given \(x^{2}\) and (\(j_{x}\), \(h_{x}\)) values, find unique x as described in Eq. (2). Similarly, given \(y^{2}\) and (\(j_{y}\), \(h_{y}\)) values, find unique y as described in Eq. (2).

3.2 QRA-based bit pair encryption (BPE)

Let (a, b) be a bit-pair where \(a,b\in \{0,1\}\) (in which a is the first bit and b is the second bit). For all random input \(x\in {\mathbb {Z}}^{+1}_{N}\) and random public key components \(r,s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \mathcal {PR}(s)\), random \(t\in {\overline{Q}}_{R}\), the probabilistic encryption \({\mathcal {E}}((a,b),N,x,r,s,t)\) of the bit pair is

$$\begin{aligned} \begin{aligned} {\mathcal {E}}&=\left\{ \begin{array}{c l} x\cdot r\cdot r~\equiv ~y~(\text {mod}~N)~\mathbf{if }~a=0,b=0\\ x\cdot r\cdot s~\equiv ~y~(\text {mod}~N)~\mathbf{if }~a=0,b=1\\ x\cdot t\ \ \ \ \ \equiv ~y~(\text {mod}~N)~\mathbf{if }~a=1,b=0\\ x\cdot s\cdot s~\equiv ~y~(\text {mod}~N)~\mathbf{if }~a=1,b=1 \end{array}\right. =y \end{aligned} \end{aligned}$$

(5)

For any \(x\in {\mathbb {Z}}^{+1}_{N}\), the unique combinations of \(r,s\in {\mathbb {Z}}^{+1}_{N}\) and \(t\in {\overline{Q}}_{R}\) are given in Table 1. Since there is no pre-agreement in public key encryptions, fix any one of the combinations given in Table 1 for encryption. For convenience, let \(r\in {\overline{Q}}_{R}\), \(x,s\in Q_{R}\), and the first combination of the above table is used for the encryption of the bit-pair.

Decryption: Given the ciphertext y, the second bit b ( assume that the second bit b has been received by some other function) and the private key p,q, the decryption function outputs first bit a and input x as

Table 1 Unique combinations of \(r,s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \mathcal {PR}(s)\), \(t\in {\overline{Q}}_{R}\) for the given \(x\in {\mathbb {Z}}^{+1}_{N}\)

• Step-1: Find the quadratic residuosity of the ciphertext y as \(\mathcal {PR}(y)\).

• Step-2: Given \(\mathcal {PR}(y)\) and second bit b, find the first bit a and input x as  

  $$\begin{aligned} \begin{aligned} {\mathcal {E}}^{{-}1}&=\left\{ \begin{array}{c l} a=0~\text {and}~y\cdot r^{-1}\cdot r^{-1}\equiv ~x~\mathbf{if }~b=0,y\in Q_{R}\\ a=0~\text {and}~y\cdot r^{-1}\cdot s^{-1}\equiv ~x~\mathbf{if }~b=1,y\in {\overline{Q}}_{R}\\ a=1~\text {and}~y\cdot t^{-1}\ \ \ \ \ \ \ \ \equiv ~x~\mathbf{if }~b=0,y\in {\overline{Q}}_{R}\\ a=1~\text {and}~y\cdot s^{-1}\cdot s^{-1}\equiv ~x~\mathbf{if }~b=1,y\in Q_{R} \end{array}\right. \\&=\ (x,a) \end{aligned} \end{aligned}$$

3.3 Contiguous chain bit pair encryption (CC-BPE)

Let l bit plaintext be \(P=\{b_{1}, b_{2}, \ldots , b_{l}\}\). For all random input \(x\in {\mathbb {Z}}^{+1}_{N}\) and random public key components \(r,s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \mathcal {PR}(s)\) and random \(t\in {\overline{Q}}_{R}\), the contiguous chain encryption \({\mathcal {E}}_{con}(P,N,x,r,s,t)\) as shown in Fig. 3 is

$$\begin{aligned} \begin{array}{ll} {\mathcal {E}}_{con}&{}\tiny {=}{\mathcal {E}}_{i}((b_{d=l\text {-}c},b_{l}),\mathcal {TD}_{i{-}1}({\mathcal {E}}_{i{-}1}((b_{d\text {-}c},b_{d}),\mathcal {TD}_{i{-}2}({\mathcal {E}}_{i{-}2})\\ &{}~~~)))\\ &{}=<y_{1},y_{2}=\{h_{u_{1}},h_{u_{2}},\ldots ,h_{u_{(l{-}2)}}\}>\\ &{}={\mathcal {C}}_{1} \end{array} \end{aligned}$$

where \(c\in [l]\), \(3\le i< l\), \({\mathcal {E}}(\cdot )\) is the BPE encryption described in Eq. (5), \(\mathcal {TD}(\cdot )\) is the injective function described in Eq. (2) and \(<y_{1},y_{2}>\) is the ciphertext set where \(y_{1}\in \{0,1\}^{k}\), \(y_{2}=\{h_{u_{1}}, h_{u_{2}}, \ldots ,h_{u_{(l{-}2)}}\}\). Each \(u_{j}\in {\mathbb {Z}}_{N}^{+1}\), \(j\in [1,l{-}1]\), is the intermediate ciphertext coming out of each \({\mathcal {E}}\) and each \(h_{u_{j}}\) is the “h” value of it. The respective decryption (i.e., \({\mathcal {E}}^{{-}1}_{con}\)) of CC-BPE is simply the inverse function of \({\mathcal {E}}_{con}\). For instance, consider the ordered subset \(({\mathcal {M}}^{'}\subseteq {\mathcal {M}}\times {\mathcal {M}})=\{(b_{2}, b_{4}\)), (\(b_{4}, b_{6}),\ldots , (b_{n{-}2},b_{n})\}\). The encryption of the plaintext \({\mathcal {M}}^{'}\) using the contiguous chain encryption \({\mathcal {E}}_{con}({\mathcal {M}}^{'},N,x,r,s,t)\) is given as

$$\begin{aligned} \begin{array}{c l} {\mathcal {E}}_{con}={\mathcal {E}}_{i}((b_{d=n{-}2},b_{n}),\mathcal {TD}_{i{-}1}({\mathcal {E}}_{i{-}1}(b_{d\text {-}c},b_{d},\mathcal {TD}_{i{-}2}({\mathcal {E}}_{i{-}2})))) \end{array} \end{aligned}$$

where \(c=2\).

Fig. 3

Contiguous and discrete chain BPE encryptions

3.4 Discrete chain bit pair encryption (DC-BPE)

Let l bit plaintext be \(P=\{b_{1}, b_{2}, \ldots , b_{l}\}\). For all random input \(x\in {\mathbb {Z}}^{+1}_{N}\) and public key components \(r,s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \mathcal {PR}(s)\) and \(t\in {\overline{Q}}_{R}\), the discrete chain encryption \({\mathcal {E}}_{dis}(P,N,x,r,s,t)\) as shown in Fig. 3 is

$$\begin{aligned} \begin{array}{ll} {\mathcal {E}}_{dis}&{}={\mathcal {E}}_{i}((b_{d=l\text {-}c},b_{l}),\mathcal {TD}_{i{-}1}({\mathcal {E}}_{i{-}1}((b_{d\text {-}e\text {-}c},b_{d\text {-}e}),\mathcal {TD}_{i{-}2}({\mathcal {E}}_{i{-}2}\\ &{}~~~))))\\ &{}=<y_{3},y_{4}=\{h_{v_{1}},h_{v_{2}},\cdot \cdot ,h_{v(\frac{l}{2}{-}1)}\}>~~~~~~~~~~~~~~~~~~~\\ &{}={\mathcal {C}}_{2}~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \end{array} \end{aligned}$$

(6)

where \(c\in [l]\), \(3\le i< l\), \({\mathcal {E}}(\cdot )\) is the BPE encryption as described in Eq. (5), \(\mathcal {TD}(\cdot )\) is the modified trapdoor function described in Eq. (2) and \(<y_{3},y_{4}>\) is the ciphertext set where \(y_{3}\in \{0,1\}^{k}, y_{4}=\{h_{v_{1}}, h_{v_{2}}, \ldots ,h_{v_{(\frac{l}{2}{-}1)}}\}\). Each \(v_{j}\in {\mathbb {Z}}_{N}^{+1}\), \(j\in [1,l{-}1]\), is the intermediate ciphertext coming out of each \({\mathcal {E}}\) and each \(h_{v_{j}}\) is the “h” value of it. The respective decryption (i.e., \({\mathcal {E}}^{{-}1}_{dis}\)) of DC-BPE requires an additional aid from other CC-BPE or DC-BPE chains. For instance, consider the ordered subset \(({\mathcal {M}}^{''}\subseteq {\mathcal {M}}\times {\mathcal {M}})\)= \(\{(b_{1}\),\(b_{2}\)), (\(b_{3}\),\(b_{4}\)), \(\ldots \), (\(b_{n{-}1}\),\(b_{n})\}\). The encryption of the plaintext \({\mathcal {M}}^{''}\) using the discrete chain encryption \({\mathcal {E}}_{dis}({\mathcal {M}},N,x,r,s,t)\) is given as

$$\begin{aligned} \begin{array}{l l} {\mathcal {E}}_{dis}&{}={\mathcal {E}}_{i}((b_{d=n{-}1},b_{n}),\mathcal {TD}_{i{-}1}({\mathcal {E}}_{i{-}1}((b_{d{-}2},b_{d{-}1}),\mathcal {TD}_{i{-}2}({\mathcal {E}}_{i{-}2}\\ &{}~~~)))) \end{array} \end{aligned}$$

where \(c=1\), \(e=1\).

Table 2 Type of decryption

Table 3 The proposed subset pairs and their respective chain pairs

3.5 Dependent/independent decryption

We call the decryption of DC-BPE chain as “dependent decryption” since every second bit of each BPE used in DC-BPE can be obtained (during decryption) from the corresponding CC-BPE or DC-BPE. We call the decryption of CC-BPE chain as “independent decryption” since every second bit of each succeeding BPE of CC-BPE is obtained (during decryption) by the preceding BPE of the same CC-BPE (Refer Table 2). Note that DC-BPE alone does not have the capability to get the second bits of its component BPEs whereas CC-BPE alone has the capability to get the second bits of its component BPEs. For instance, second bit of each BPE (\({\mathcal {E}}_{i{-}1}\)) of CC-BPE of Eq. (3.3) is same as the first bit of each BPE (\({\mathcal {E}}_{i{-}2}\)) when \(c=2\). Also, second bit of each BPE (\({\mathcal {E}}_{i{-}1}\)) of DC-BPE of Eq. (6) when \(c=1\), \(e=1\) is obtained by the respective BPE (\({\mathcal {E}}_{i}\)) of CC-BPE of Eq. (3.3) when \(c=2\).

3.6 Possible subsets to improve the performance

For all n bit plaintext \({\mathcal {M}}=\{b_{1},b_{2},\ldots ,b_{n}\}\), the possible ordered subsets (partial) of \({\mathcal {M}}\times {\mathcal {M}}\) are

$$\begin{aligned} \begin{aligned} {\mathcal {M}}_{1}&=\{b_{i} : i=i+2, i\in [1,n{-}1]\}\\ {\mathcal {M}}_{2}&=\{b_{i} : i=i+2, i\in [2,n]\}\\ {\mathcal {M}}_{3}&=\{(b_{i},b_{i+2}) : i=i+2, i\in [2,n{-}2]\}\\ {\mathcal {M}}_{4}&=\{(b_{i},b_{i+2}) : i=i+2, i\in [1,n{-}3]\}\\ {\mathcal {M}}_{5}&=\{(b_{i},b_{i+1}) : i=i+2, i\in [1,n{-}1]\}\\ {\mathcal {M}}_{6}&=\{(b_{i},b_{i+1}) : i=i+2, i\in [2,n{-}2]\}\\ {\mathcal {M}}_{7}&=\{b_{i} : i=i+1, i\in [1,n{-}1]\} \end{aligned} \end{aligned}$$

(7)

and group a pair of above subsets in such a way that the concatenation of the bits of that subset pair should always equal to the plaintext \({\mathcal {M}}\). The possible pairs of such subsets are (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{2}\)), (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{3}\)), (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{5}\)), (\({\mathcal {M}}_{2}\),\({\mathcal {M}}_{4}\)), (\({\mathcal {M}}_{2}\),\({\mathcal {M}}_{5}\)), (\({\mathcal {M}}_{3}\),\({\mathcal {M}}_{4}\)), (\({\mathcal {M}}_{3}\),\({\mathcal {M}}_{5}\)), (\({\mathcal {M}}_{5}\),\({\mathcal {M}}_{5}\)), (\({\mathcal {M}}_{5}\),\({\mathcal {M}}_{6}\)). In addition, a single subset \({\mathcal {M}}_{7}\) can also be used to encrypt the given plaintext (using contiguous chain bit-pair encryption). We use one of the pairs (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{3}\)) throughout this paper to explain the proposed scheme.

3.7 Decryption dependent ciphers

We call \(y_{1}\), \(y_{2}\) of CC-BPE or \(y_{3}\), \(y_{4}\) of DC-BPE as “dependent ciphers” since they are completely dependent on each other during decryption.

Definition 1

A Probabilistic Public Key Cryptosystem is a 3-tuple (\(\mathtt {KG}\),\(\mathtt {E}\),\(\mathtt {D}\)) scheme consists of two probabilistic polynomial time (PPT) algorithms \(\mathtt {KG}\), \(\mathtt {E}\) and a deterministic algorithm \(\mathtt {D}\) described as follows.

• Key Generation (\(\mathtt {KG}\)): Given a random security parameter k, algorithm generates a randomized public and private key pair (\(\mathcal {PK},\mathcal {SK}\)).

• Encryption (\(\mathtt {E}\)): Chooses a public key \(\mathcal {PK}\xleftarrow {R}{\mathbb {Z}}_{N}^{*}\) with certain quadratic residuosity property, a message \({\mathcal {M}}\in {\mathbb {S}}\) and generates a ciphertext \({\mathcal {C}}=\mathtt {E}(\mathcal {PK},{\mathcal {M}})\).

• Decryption (\(\mathtt {D}\)): Given the secret key \(\mathcal {SK}\) and ciphertext \({\mathcal {C}}\), algorithm generates the same message \({\mathcal {M}}\) as \({\mathcal {M}}=\mathtt {D}(\mathcal {SK},{\mathcal {C}})\).

Indistinguishable Property: We say the ciphertexts are indistinguishable if any two ciphertexts \({\mathcal {C}}_{1}=\mathtt {E}(\mathcal {PK}_{1},{\mathcal {M}})\) and \({\mathcal {C}}_{2}=\mathtt {E}(\mathcal {PK}_{2},{\mathcal {M}})\) generated from \(\mathtt {E}\) are computationally indistinguishable under the standard QRA proposed in [15]. That is, for all PPT adversary \({\mathcal {A}}\), there exists a negligible function \({\mathcal {F}}\) such that \(\mid {\mathbb {P}}[{\mathcal {A}}\)(\(\mathcal {PR}(\mathcal {PK}_{1})\),N)= \(1]-{\mathbb {P}}[{\mathcal {A}}(\mathcal {PR}(\mathcal {PK}_{2}),N\))= \(1]\mid \le \) \({\mathcal {F}}\)(k) where k is the security parameter, \(\mathcal {PR}\) is the quadratic residuosity predicate function and \({\mathbb {P}}\) is the probability finding function.

Correctness: We say that PKE satisfies correctness if for all (\(\mathcal {PK},\mathcal {SK}\))\(\xleftarrow {R}\mathtt {KG}(1^{k})\), \({\mathbb {P}}[\mathtt {D}(\mathcal {SK},\mathtt {E}(\mathcal {PK},{\mathcal {M}}))={\mathcal {M}}]\)=1 (where the randomness is taken over the internal coin tosses of algorithm \(\mathtt {E}\)).

Definition 2

The public-key encryption scheme described in Definition 1 is said to be semantically secure if for any PPT distinguisher \({\mathcal {A}}\) and any pair of messages \({\mathcal {M}}_{0}\), \({\mathcal {M}}_{1}\), given the public key \(\mathcal {PK}\), the advantage for distinguishing \({\mathcal {C}}_{0}\) = \(\mathtt {E}\)(\(\mathcal {PK}\), \({\mathcal {M}}_{0}\)) and \({\mathcal {C}}_{1}\) = \(\mathtt {E}\)(\(\mathcal {PK}\), \({\mathcal {M}}_{1}\)) is negligible in security parameter. In other words, the above said scheme is semantically secure until underlying quadratic residuosity assumption is semantically secure.

Definition 3

Let (\(G_{1}\),\(\cdot \)), (\(G_{2}\),*) be groups. Let \(\mathtt {E}\) be the probabilistic encryption algorithm and \(\mathtt {D}\) be the decryption algorithm of an encryption scheme with plaintext set \(G_{1}\) and ciphertext set \(G_{2}\). The encryption scheme defined in Definition 1 is said to be group homomorphic if the encryption map \(\mathtt {E}:G_{1}\rightarrow G_{2}\) has the following property: \(\forall {\mathcal {M}}_{0},{\mathcal {M}}_{1}\in G_{1}\), \(\mathtt {D}(\mathtt {E}({\mathcal {M}}_{0}\cdot {\mathcal {M}}_{1}))=\mathtt {D}(\mathtt {E}({\mathcal {M}}_{0})\cdot \mathtt {E}({\mathcal {M}}_{1}))\)

Definition 4

[NM-CPA, NM-CCA1, NM-CCA2] Let NM-CPA, NM-CCA1, NM-CCA2 are non-malleable chosen plaintext attack, non-malleable chosen ciphertext attack1, non-malleable chosen ciphertext attack2 respectively. Let \(\Pi \) = (\(\mathtt {KG}, \mathtt {E}, \mathtt {D}\)) be an encryption scheme defined in Definition 1 and let C = (\(C_{1}, C_{2}\)) be an adversary consisting of a pair of algorithms. For atk \(\in \) \(\{cpa, cca1, cca2\}\) and \(k\in N\) define \(Adv_{C,\pi }^{nm-atk}(k)\) = \({\mathbb {P}}[Expt_{C,\pi }^{atk-1}(k)\Rightarrow 1]\) - \({\mathbb {P}}[Expt_{C,\pi }^{atk-0}(k)\Rightarrow 1]\) where and If atk = cpa then \({\mathcal {O}}_{1}(\cdot )=\epsilon \) and \({\mathcal {O}}_{2}(\cdot )=\epsilon \). If atk = cca1 then \({\mathcal {O}}_{1}(\cdot )=\mathtt {D}(\mathcal {SK},\cdot )\) and \({\mathcal {O}}_{2}(\cdot )=\epsilon \). If atk = cca2 then \({\mathcal {O}}_{1}(\cdot )=\mathtt {D}(\mathcal {SK},\cdot )\) and \({\mathcal {O}}_{2}(\cdot )=\mathtt {D}(\mathcal {SK},\cdot )\).

4 New probabilistic single structure encryption switching scheme (ESwiS)

In this section, we propose quadratic residuosity-based asymmetric encryptions as defined in Definition 1. Let the plaintext \({\mathcal {M}}=\{b_{1},b_{2},\ldots ,b_{n}\}\). We use the subset (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{3}\)) of Table 3 to explain the proposed scheme and all the remaining subset pairs can also be encrypted in a similar fashion using their respective chains. The overall encryption process consists of two steps. In the first step, encrypt the subset \({\mathcal {M}}_{1}\) using CC-BPE chain and encrypt the subset \({\mathcal {M}}_{3}\) using DC-BPE chain. In the second step, encrypt the last bit \(b_{n}\) using the ciphertexts obtained from the first step as inputs to SBE function. The detailed description is as follows.

• Key Generation (\(\mathtt {KG}\)): Given the security parameter k, select the RSA composite modulus \(N\in \{0,1\}^{k}\) with the large distinct prime factors p and q with \(p\equiv q\equiv \) 3 (mod 4). Choose the random numbers r,\(s\in {\mathbb {Z}}^{+1}_{N}\) with \(\mathcal {PR}(r)\ne \) \(\mathcal {PR}(s)\) and choose a random \(t\in {\overline{Q}}_{R}\) and choose a random \(w\in {\mathbb {Z}}^{{-}1}_{N}\). Also, choose a random input \(x\in {\mathbb {Z}}^{+1}_{N}\). The public key is (N,x,r,s,t,w) and the private key is (p,q).

• Encryption (\(\mathtt {E}\)): For all plaintext \({\mathcal {M}}\) and the public key (N,x,r,s,t,w), the encryption \(\mathtt {E}({\mathcal {M}})\) is given as

  $$\begin{aligned} \mathtt {E}({\mathcal {M}})=\left\{ \begin{array}{c l} {\mathcal {E}}_{con}({\mathcal {M}}_{1})=\varvec{<}Y_{1},Y_{2}=\{h_{u_{1}},\ldots ,h_{u_{(\frac{n}{2}{-}2)}}\}\varvec{>}\\ ={\mathcal {C}}_{1}~~~~~~~~~~~~~~~~~~~~~~~~~~~\\ {\mathcal {E}}_{dis}({\mathcal {M}}_{3})=\varvec{<}Y_{3},Y_{4}=\{h_{v_{1}},\ldots ,h_{v_{(\frac{n}{2}{-}1)}}\}\varvec{>}\\ ={\mathcal {C}}_{2}~~~~~~~~~~~~~~~~~~~~~~~~~~~\\ ~\text {and then do}\\ {\mathcal {E}}_{s}(b_{n},N,Y_{1},Y_{3},r,s,w)=\{Z_{1},Z_{2}\} \end{array}\right. \end{aligned}$$

  (8)

  Therefore, the final ciphertexts are \({\mathcal {C}}_{3}=\{Z_{1},Y_{2}\}\) and \({\mathcal {C}}_{4}=\{Z_{2},Y_{4}\}\). The pictorial representation of the encryption process is given in Fig. 4.

• Decryption (\(\mathtt {D}\)): Given the ciphertexts (\({\mathcal {C}}_{3}\), \({\mathcal {C}}_{4}\)) and the private key (p,q), the decryption \(\mathtt {D}({\mathcal {C}}_{3},{\mathcal {C}}_{4},p,q)\) is given as

  $$\begin{aligned} \begin{aligned}&\left\{ \begin{array}{c l} {\mathcal {E}}^{{-}1}_{s}(Z_{1},Z_{2},p,q)=\{b_{n},Y_{1},Y_{3}\}\\ ~\text {and~then~do}\\ {\mathcal {E}}^{{-}1}_{con}(b_{n},{\mathcal {C}}_{1},p,q)=({\mathcal {M}}_{1}=\{b_{2},b_{4},b_{6}\cdot \cdot ,b_{n{-}2}\},x)\\ {\mathcal {E}}^{{-}1}_{dis}(b_{n},{\mathcal {C}}_{2},p,q)=({\mathcal {M}}_{3}=\{b_{1},b_{3},b_{5}\cdot \cdot ,b_{n{-}1}\},x) \end{array}\right. \\&={\mathcal {M}}_{1}\cup {\mathcal {M}}_{3},x\\&={\mathcal {M}},x \end{aligned} \end{aligned}$$

  (9)

  and the pictorial representation of the decryption process is given in Fig. 5.

Fig. 4

Abstract view of encryption process

Fig. 5

Abstract view of decryption process

4.1 Independent decryption scheme using CC-BPE method

It is evident that no subset alone can be decrypted to generate all the plaintext bits except the subset \({\mathcal {M}}_{5}\) (refer Eq. (7)). Therefore, to reduce the dependency among the subsets, the single subset \({\mathcal {M}}_{5}\) can be encrypted as \({\mathcal {E}}_{con}({\mathcal {M}}_{5},N,x,r,s,t)\) using the CC-BPE encryption technique described in Eq. (3.3) as

$$\begin{aligned} \begin{aligned} {\mathcal {E}}_{con}=&{\mathcal {E}}_{i}((b_{d=n{-}1},b_{n}),\mathcal {TD}_{i{-}1}({\mathcal {E}}_{i{-}1}((b_{d{-}1},b_{d})\\&,\mathcal {TD}_{i{-}2}({\mathcal {E}}_{i{-}2})))) \end{aligned} \end{aligned}$$

Example

Consider \(N=133, p=19, q=7\) and plaintext \({\mathcal {M}}=\{\)1,1,0, 0,1,1,1,1\(\}\) where \(\mid {\mathcal {M}}\mid =n=8\). Consider \({\mathcal {M}}_{1}= \{\)(1,0), (0,1), (1,1)\(\}\) and \({\mathcal {M}}_{3}=\{(1,1), (0,0), (1,1), (1,1)\}\). Let \(x=25, r=39, s=34, t=41, w=29\). The complete encryption and decryption process is given in Tables 4 and 5.

Table 4 A toy example of the encryption process

Table 5 A toy example of the decryption process

Table 6 Performance comparison for all \(n\in {\mathbb {N}}\) bit plaintext schemes and \(k\in {\mathbb {N}}\) bit plaintext schemes

Table 7 Performance of the proposed scheme when \(n=k\)

4.2 Probabilistic single structure encryption switching signature scheme (ESwiS-Sig)

The proposed scheme of Sect. 4 can also be used for generating the digital signatures. The detailed description is as follows.

• Key Generation (\(\mathtt {KG}\)): Given security parameter k, select the RSA composite modulus \(N\in \{0,1\}^{k}\) with the large prime factors p and q. Choose random quadratic residue \(r\in Q_{R}\) and random quadratic non-residue \(s\in {\overline{Q}}_{R}\). Also, choose random input \(x\in {\mathbb {Z}}^{+1}_{N}\). The public key is (N,x,r,s) and the private key is (p,q).

• Signature Creation (\(\mathtt {D}\)) For any non-negative integer n, select two numbers (\(Y_{1}\),\(Y_{3}\))\(\xleftarrow {R}{\mathbb {Z}}_{N}^{+1}\) and select two numbers \(Y_{2}\xleftarrow {R}\{0,1\}^{\frac{n}{2}{-}2}\), \(y_{4}\xleftarrow {R}\{0,1\}^{\frac{n}{2}{-}1}\). Given a random message (\({\mathcal {C}}_{1}=\{Y_{1},Y_{2}\}, {\mathcal {C}}_{2}=\{Y_{3},y_{4}\}\)) and the private key (p, q), the signature creation algorithm \(\mathtt {D}({\mathcal {C}}_{1},{\mathcal {C}}_{2}\)) generates the signature \({\mathcal {M}}\) as

  $$\begin{aligned} \begin{aligned}&\left\{ \begin{array}{c l} &{}b_{n}\xleftarrow {R}\{0,1\}\\ &{}{\mathcal {E}}^{{-}1}_{con}(b_{n},{\mathcal {C}}_{1},p,q)=\{b_{2},b_{4},b_{6}\ldots ,b_{n{-}2}\}={\mathcal {M}}_{1}\\ &{}{\mathcal {E}}^{{-}1}_{dis}(b_{n},{\mathcal {C}}_{2},p,q)=\{b_{1},b_{3},b_{5}\ldots ,b_{n{-}1}\}={\mathcal {M}}_{3} \end{array}\right. \\&=({\mathcal {M}}_{1}\cup {\mathcal {M}}_{3})={\mathcal {M}} \end{aligned} \end{aligned}$$

  where \(\mid {\mathcal {M}}\mid =n\).

• Verification (\(\mathtt {E}\)) Given the signature \({\mathcal {M}}\), message (\({\mathcal {C}}_{1}\), \({\mathcal {C}}_{2}\)) and the public key (N, x, r, s), the verification algorithm finds \(\mathtt {E}({\mathcal {M}})\) and verifies whether \(\mathtt {E}({\mathcal {M}})\)=(\({\mathcal {C}}_{1}\), \({\mathcal {C}}_{2}\)) as

  $$\begin{aligned} \left\{ \begin{array}{c l} {\mathcal {E}}_{con}({\mathcal {M}}_{1})=<Y_{1},Y_{2}=\{h_{u_{1}},\ldots ,h_{u_{(\frac{n}{2}{-}2)}}\}>={\mathcal {C}}_{1}\\ ~\text {and}\\ {\mathcal {E}}_{dis}({\mathcal {M}}_{3})=<Y_{3},Y_{4}=\{h_{v_{1}},\ldots ,h_{v_{(\frac{n}{2}{-}1)}}\}>={\mathcal {C}}_{2} \end{array}\right. \end{aligned}$$

Table 8 Performance of all possible subset pairs of the plaintext \({\mathcal {M}}\)

Table 9 Performance of the proposed encryption scheme (in milliseconds) for different key size

Table 10 Performance of the proposed encryption scheme (in milliseconds) for 3072 bit key

Table 11 Performance comparison of the proposed scheme (in milliseconds) with existing schemes.

4.3 Level of security

Since the proposed scheme uses quadratic residuosity properties, to reveal the plaintext \({\mathcal {M}}\), the adversary has to following (i) find the properties of x, r, s (ii) find the last bit from Eq. (4) (iii) find the remaining bits from each BPE with \(p^{QR}\) probability and each TF with \(p^{QR}\) probability. The proposed scheme is secure until the underlying quadratic residuosity assumption is secure.

In addition to basic security, the proposed scheme also provides additional benefit to reduce the plaintext revealing probability of the adversary further which is most suitable for secure cloud storage applications.

5 Performance evaluation of the proposed scheme

This section describes the performance of the proposed scheme.

5.1 Expansion factor

The generic expansion factor which is applicable for all the subset pairs mentioned in Eq. (7) is defined as \(\mathcal {f}\)=(m+d log N)/n where \(m<n\) and d is the total number of ciphertexts generated from encryption process. In the proposed scheme, if the security parameter k = log \(N=512\) and the plaintext size \(n=512\) then \(m=(\mid Y_{1}\mid +\mid Y_{3}\mid )=509\) and \(d\cdot \log N=2\cdot \log N\). Therefore, the ciphertext expansion factor \(f=(509+ 2\cdot \log N)=2.99\) (as shown in Table 6). Similarly, if \(k=512, n=1024\) then \(m=1021\) and \(f=1.99\). Also, if \(k=1024\), \(n=2048\) then \(m=2045\) and \(f=1.99\). Therefore, for all \(n=2k, f=1.99\). Similarly, for all \(n=3k, f=1.66\). For all \(n=4k, f=1.49\). In general, for all \(n\ge 20 k, f\le 1\). Even though the ciphertext size of the proposed scheme is little higher than the existing schemes (refer Table 6), it can reach the ciphertext size as k for all large message with \(n\ge 20 k\).

5.2 Execution time

Since there are \((n-1)\) BPE functions involved in the encryption process of the proposed scheme and each BPE involves maximum of two modular multiplications, there are 2\((n-1)\) multiplications. Along with BPE functions, there are \((n-3)\) TF functions are also involved in the encryption process proposed scheme and each TF function involves one modular squaring. Also, there is one SBE function used in the encryption process proposed scheme and it has four modular multiplications. Therefore, in total,there are \(2(n-1)+(n-3)+4=(3n-1)\) modular multiplications involved in each encryption and decryption process. Since SBE involves constant number of multiplications (i.e., four), just ignore that. Each bit thus involves \((3n-5)/n\) number of modular multiplications during encryption and decryption process. Each encryption and decryption process of the proposed scheme involves \((3n-5)/n\) number of modular multiplications plus \((n-3)\) number of \(\mathcal {PR}\) functions. Refer Table 7 for further details.

The performance of other subset pairs are tabulated in Table 8. The communication complexity is almost similar in all subset pairs. But, there is a difference in the capability of parallel execution. All the subset pairs except \({\mathcal {M}}_{5}\) can be encrypted independently (with separate chains) in encryption whereas the subset pair (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{2}\)) can even be decrypted independently in decryption (Note: both \({\mathcal {M}}_{1}\),\({\mathcal {M}}_{2}\) are associated with CC-BPE chains. The CC-BPE chains have the capability of independent decryption). More precisely, during the encryption process, each chain (generally there are two chains involved) can be executed in parallel in (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{3}\))/(\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{2}\))/(\({\mathcal {M}}_{2}\),\({\mathcal {M}}_{4}\))/(\({\mathcal {M}}_{3}\),\({\mathcal {M}}_{4}\)) subset pair. But, during the decryption process, one chain has to wait for the other chain in (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{3}\))/(\({\mathcal {M}}_{2}\),\({\mathcal {M}}_{4}\))/(\({\mathcal {M}}_{3}\) ,\({\mathcal {M}}_{4}\)) subset pair. Therefore, only the scheme involves the subset pair (\({\mathcal {M}}_{1}\),\({\mathcal {M}}_{2}\)) can be executed in parallel during encryption and decryption process. Also, there is no question of parallel execution in case of the subset \({\mathcal {M}}_{5}\), since there is only one contiguous chain involved.

5.3 Tamper proof facility

Due to the existence of the injective mapping, for all given plaintext \({\mathcal {M}}\) and public key (N, x, r, s, t, w), the encryption always produces a unique property ciphers \({\mathcal {C}}_{3}, {\mathcal {C}}_{4}\). Similarly, given the ciphers and private key (p, q), the decryption always produces unique plaintext \({\mathcal {M}}\) and input x as described in Eq. (9). Even a single bit change in \({\mathcal {C}}_{3}, {\mathcal {C}}_{4}\) does not produce unique plaintext \({\mathcal {M}}\) and input x. This great feature suits well for secure cloud storage applications where the user can verify the tampering in the stored data. Hence, the proposed scheme certainly provides inbuilt tamper proof feature to the decrypting party about the change in the stored ciphertexts.

5.4 Encryption switching

One of the useful feature of the proposed scheme is the ability to shift from homomorphism (in tern malleable) to/from non-malleability. This switching capacity will cover both homomorphic to non-malleable applications. As the best of our knowledge, no existing probabilistic encryption schemes (at their basic construction) provide this kind of switching feature without altering the underlying security structure.

The proposed scheme uses the injective function of Eq. (2). Suppose, if TF from Eq. (3) is chosen, then the adversarial probability can be further reduced. By carefully observing the quadratic residuosity properties of input and public key components, it is clear from Table 1 that there is a change to opt the random combination during encryption process and hence the adversarial probability can be further reduced if the combinations is chosen randomly during encryption process. But, adversarial probability cannot be reduced in the proposed scheme since it uses the fixed combination. Also, there is a possibility to choose any subset pair during encryption process. If the subset pair is selected uniformly at random during encryption, the adversary probability can be reduced further. There are 256 unique combinations of the equations of \({\mathcal {E}}_{s}\) that can be used to encrypt the last bit of the plaintext. If the purpose of the proposed scheme is to provide asymmetric encryption using the public key of other party then any one of 256 combinations can be used. But, if the purpose of the proposed scheme is to provide asymmetric encryption for secure user data storage on insecure cloud, then any one of the combinations can be selected at random. This random selection creates additional effort for the adversary to reveal the information.

5.5 Security extension by pre-storing ciphertext bits

The greatest advantage of the proposed scheme in secure cloud applications is to keep some of the ciphertext bits before storing on the insecure cloud. This additional feature greatly reduces the change of revealing the plaintext since the size of the ciphertext would be partially known and the locations of these bits are unknown to the cloud. In fact, this feature is unavailable in the existing encryption schemes.

6 Implementation and results

Fig. 6

The performance comparison (key generation)

Fig. 7

The performance comparison (encryption)

Since the encryption process of the proposed scheme supports multi-threaded execution of encryption and decryption, the implementation of the encryption involves the multi-threaded execution of some of its parts. In fact, this multi-threading feature helps in reducing the overall execution time. Since \({\mathcal {E}}_{con}\) and \({\mathcal {E}}_{dis}\) are independent encryption chains used in encryption process (as shown in Fig. 4), these are executed with two concurrent threads. Further, each encryption chain (\({\mathcal {E}}_{con}\) or \({\mathcal {E}}_{dis}\)) is executed in two steps. In the first step, given the plaintext bits, all the public key component multiplications (i.e., (\(r\cdot r\)) or (\(r\cdot s\)) or (\(s\cdot s\))) for each bit pair are calculated in a single unit of time (please note that the unit time is the time required for a single multiplication). In particular, (\(n-1\)) multiplications from \({\mathcal {E}}_{dis}\) and (\(n-3\)) multiplications from \({\mathcal {E}}_{con}\) are concurrently executed in a single unit of time. In the second step, the remaining \(((n-3)+2)\) modular multiplications are calculated sequentially. Therefore, the total time required to complete the encryption process is 1 unit from first step plus (\(n-3\)+2) units from second step = n units. However, decryption process involves very less multi-threading facility compared to encryption. Also, the decryption chains are completely depend on each other and they cannot be executed in parallel. In any given unit of time, only two bit-pair decryptions (each from each chain) can be executed in parallel. Also, the major time consuming part in decryption is the calculation of the quadratic residuosity property and quadratic square roots for each bit pair. Since the whole decryption process involves (\(\frac{n}{2}+2\)) inverse multiplications, (\(\frac{n}{2}+2\)) quadratic residuosity property calculations and (\(\frac{n}{2}-1\)) quadratic square root calculations, the total unit time required to get back the plaintext is (\(\frac{n}{2}+2\)) inverse multiplication time plus (\(\frac{n}{2}-1\)) quadratic square root calculation time. Therefore, decryption process comparatively takes more time than the encryption.

We have implemented the proposed scheme of Sect. 4 on the following hardware configurations: Intel Core i5-8265U CPU with 1.60GHz\(*\)8 processor, 64-bit Ubuntu operating system, 8GB RAM and software configurations: Java programming language on eclipse IDE, BigInteger package for large number generation. The running time performance of the proposed scheme in key generation, encryption and decryption processes are tabulated in Tables 9, 10 and 11. The pictorial representation of key generation, encryption and decryption process performances are shown in Figs. 6, 7 and 8 respectively.

The performance comparison of the proposed scheme with the existing security schemes as shown in Fig. 9 clearly shows that both key generation and encryption running times of the proposed scheme are better than RSA and ECC. The only time consuming part is the decryption. This slow running part is very much helpful for user-centric secure storage applications such as Healthcare record storage on untrusted Cloud. In fact, cloud has to invest huge amount of computation to reveal the information of the user data because of this slow running process. Therefore, the overall performance of the proposed scheme is reasonably well compared to the existing public key schemes.

Fig. 8

The performance comparison (decryption)

Fig. 9

The performance comparison of proposed scheme with existing schemes

Fig. 10

A secure cloud storage and retrieval

Fig. 11

A secure-sharing using cloud storage

7 A tamper evident secure storage and retrieval method on insecure cloud

It is intuitive that the proposed scheme provides a tamper evidence to the stored data when it is used to store the information securely over the untrusted cloud. Consider a scenario where there are only two entities namely Alice (client) and Cloud (server) in which Alice wants to store her private information securely over the curious and untrusted cloud as shown in Fig. 10. The proposed scheme effectively provides the solution to this scenario with highest security by choosing the non-malleable version (refer DDN [11] for Non-malleability definition) of the proposed scheme. Let Alice selects her private message \({\mathcal {M}}\). Let Alice generates the (public,private) key pair and encrypts the message with her public key as \(\mathtt {E}({\mathcal {M}})\) and produces the ciphertexts \({\mathcal {C}}_{3}=\{Z_{1} ,Y_{2}\}, {\mathcal {C}}_{4}=\{Z_{2},Y_{4}\}\) as described in Eq. (8). Now, Alice stores the dependent ciphers \(Y_{2}, Y_{4}\) on the untrusted cloud and keeps \(Z_{1}, Z_{2}\) with her. This method provides highest data security to Alice because of two reasons. First, each bit of the ciphers \(Y_{2}, Y_{4}\) does not provide any information other than the location (i.e., whether it belongs to \([1,\frac{N}{2}]\) or \([\frac{N}{2}+1,N-1]\)). Second, even a bit change in the ciphers \(Y_{2}, Y_{4}\) will intimate Alice due to the existence of tamper proof support. This method also reduces the space overhead problem to Alice since \(\mid Y_{2}\mid +\mid Y_{4}\mid \approx \mid {\mathcal {M}}\mid \) and \(\mid Z_{1}\mid =\mid Z_{2}\mid =k\) where k is the security parameter. To reveal the private message of Alice, the Cloud has the negligible probability due to the existence of several random functions and inability to access other dependent ciphers \(Z_{1}, Z_{2}\).

Consider one more scenario where there are three participating entities namely, Alice, Bob and Cloud where Alice encrypts his private message using Bob’s public key using Eq. (8) and stores the dependent ciphers (i.e., \(Y_{2}, Y_{4}\)) on the untrusted Cloud and sends the remaining dependent ciphers (i.e., \(Z_{1}, Z_{2}\)) to Bob as shown in Fig. 11. Finally, Bob downloads \(Y_{2}, Y_{4}\) and decrypts Alice’s message \({\mathcal {M}}\) using Eq. (9).

7.1 Patient-cloud-doctor Application

The above scenario is analogous to patient, doctor, cloud in which patient wants to send his private health record to his doctor using cloud as a storage media.

7.2 Author-cloud-editor Application

Using the above three party communication setting, assume a scenario where Author (Alice) wants to send his research paper to the Editor-in-Chief (Bob) for anonymous review by securely storing his paper at a common access point (Cloud). In this case, the author creates a hash of the author(s) details using the existing hashing algorithm. Then, using editor’s public key, author encrypts his paper using Eq. (8) of the proposed scheme and stores the dependent ciphers (i.e., \(Y_{2}\), \(Y_{4}\)) securely at a common access point (Cloud) and sends other dependent ciphers (i.e., \(Z_{1}\), \(Z_{2}\)) to the editor as explained in the above scenario. The Editor, downloads the ciphertext from Cloud and decrypts the paper using Eq. (9) of the proposed scheme and initiate the review process in an anonymous way (Because, neither the paper contains author details nor cloud stores complete ciphertext. Only the hash contains that). When the paper is accepted, the author sends the author details to the editor and the editor generates a fresh hash of the received author details and verifies with the received hash. This method successfully hides author(s) details on both editor as well as cloud side and stores the data securely on the untrusted cloud.

8 Conclusion and future work

We have successfully presented the quadratic residuosity-based probabilistic encryption switching scheme along with some of its suitable secure storage applications. The overall performance of the proposed scheme including the bandwidth, encryption switching property are comparable with the existing schemes. Further, investigation is required on the extension of number of plaintext subsets of the plaintext and their effect on the overall performance. In addition, investigating per bit multiplication reduction and the chosen ciphertext security support is the future direction.