A Secure and Efficient ECC-Based Scheme for Edge Computing and Internet of Things

Recent growth in the Internet of Things (IoT) has raised security concerns over the confidentiality of data exchanged between IoT devices and the edge. Many IoT systems adopt asymmetric cryptography to secure their data and communications. A drawback of asymmetric cryptography is the sizeable computation and space requirements. However, elliptic curve cryptography (ECC) is widely used in constrained environments for asymmetric cryptography due its superiority in generating a powerful encryption mechanism with small key sizes. ECC increases device performance and lowers power consumption, meaning it is suitable for diverse applications ranging from the IoT to wireless sensor network (WSN) devices. To ensure the confidentiality and security of data and communications, it is necessary to implement ECC robustly. A special area of focus in this regard is the mapping phase. This study’s objective was to propose a tested and trusted scheme that offers authenticated encryption (AE) via enhancing the mapping phase of a plain text to an elliptic curve to resist several encryption attacks such as Chosen Plaintext Attack (CPA) and Chosen Ciphertext Attack (CCA). The proposed scheme also undertakes evaluation and analysis related to security requirements for specific encryption attributes. Finally, results from a comparison of the proposed scheme and other schemes are presented, evaluating each one’s security characteristics and performance measurements. Our scheme is efficient in a way that makes so suitable to the IoT, and in particular to the Industrial IoT and the new Urbanization where the demands for services are huge.


Introduction
The continuous growth of industrialization and urbanization in recent years has led to the estimate that by 2025 there will be 21.5 billion actively connected Internet of Things (IoT) devices worldwide [1] as depicted in Figure 1. This remarkable growth of IoT shows that edge computing is increasingly used in today's society [2]. In particular, the constrained properties of IoT devices, which include low performance in terms of computational resources and storage space, led to the adoption of edge computing [3]. For these reasons, the need to maintain data confidentiality and integrity has increased, which has caused an explosion of interest in cryptography schemes [4]. There are two types of encryption scheme, which are based on the nature of the key that will be used to encrypt and decrypt the data: which known as, symmetric cryptography and asymmetric cryptography [5]. The first type uses a one key for encryption and decryption, and it is useful if the two parties know the key before exchanging data. However, if the sender and the recipient cannot agree on a secure secret key exchange, then asymmetric cryptography is needed. In asymmetric cryptography, elliptic curve

Elliptic Curve Cryptography
The first curve used in elliptic curve cryptography (ECC) was introduced by Koblitz in 1987 [19]. ECC is widely used for devices in constrained environments, including the IoT and WSN devices. This stems from ECC's value in affording the same level of hardness in terms of encryption as other asymmetric cryptography schemes, with significantly smaller key sizes and a lower computation overhead. As an illustration, the complexity of encryption in the RSA algorithm with a 1024-bit key is the same as the ECC algorithm with a 160-bit key. This noticeable difference in key sizes reduces the requirement for computation, and it lowers the storage needed to perform encryption. As a result, ECC supports low computation device capabilities, enabling them to perform more effectively [20]. ECC applications vary in the ways keys are exchanged between senders and recipients, as well as the approach used to secure communications between the two parties. In addition, ECC maintains message integrity by signing plain texts to prevent forgery.
The elliptic curve group operations are denoted as "+" for the addition of two points. For instance, let P = (x 1 , y 1 ) and Q = (x 2 , y 2 ), Therefore, the addition of P + Q can be expressed as (x 1 , y 1 ) + (x 2 , y 2 ) = (x 3 , y 3 ). In some cases, where P = Q, the group operation is denoted as multiplication α × P on elliptic curve over Z p , p > 3 that satisfy Equation (1), such that a, b ∈ Z p and 4 × a 3 + 27 × b 2 = 0 mod p where α is an integer value. For instance, P + P = (x 1 , y 1 ) + (x 1 , y 1 ) = 2P), similarly, 3P is equal to (x 1 , y 1 ) + (x 1 , y 1 ) + (x 1 , y 1 ), and so on. It is important to note the the EC must be nonsingular curves (i.e., have no multiples roots).
The main operation in elliptic curves is the group multiplication operation [21][22][23][24]. For dP, this refers to d times of the addition of point P, which results in a new point (x j , y j ). The private key is a large integer d, and the value of the multiplication operation (x j , y j ) is known as the public key. The hardness of ECC is caused by the hardness of the mathematical problem, which states that, by knowing the public key point (x j , y j ) and the starting point P, it is not possible to compute d in polynomial time [25]. This hardness is known in the literature as the elliptic curve discrete logarithm problem (ECDLP).
Several phases are involved in ECC to secure communications and encrypt transmitted data [26][27][28]. These phases are used together and/or separately, and they are listed as follows: The main computation process involved in the first phase is the calculation of the public keys derived by the multiplication of d (i.e., the private key) and G (i.e., the base point) [29][30][31][32]. The following phase involves the conversion of the plain text into numerical values, which is required because ECC depends on the use of numbers [33]. Therefore, the text must be securely converted in order to resist encryption attacks. Similarly, the third phase involves mapping the encoded value x i to the generated elliptic curve to find corresponding value of y i such that (x i , y i ) ∈ E p (a, b). If the mapping process fails in the first round, then x i is incremented by 1 until mapping is successful [34][35][36][37]. In the encryption phase, the cipher text is combined with the mapped point and secret key point (x mapped , y mapped ) + (x key , y key ). The fifth phase maintains the integrity of the cipher text and ensures the sender's nonrepudiation [38][39][40]. This is achieved by signing the cipher text using the sender's signature, and it depends on the following steps [41][42][43]: Having provided an introductory overview, the rest of this paper is organized as follows: a literature review of other schemes is provided in Section 2; in Section 3, the details of the proposed scheme are described; in Section 4, security analysis and performance evaluations are presented in detail; and finally, concluding remarks and future research are discussed in Section 5.

Related Works
Elliptic curve cryptography (ECC) is frequently used to reduce the computational overhead caused by the limited capabilities of devices in constrained environments. Many schemes use ECC to secure communications between two parties by safeguarding the shared key exchange process. In particular, the elliptic curve integrated encryption scheme (ECIES) first employed the asymmetric approach by generating the shared key between two parties using ECC, after which the plain text was encrypted using the symmetric approach under the AES scheme [44][45][46][47]. On the other hand, many of these schemes failed to provide detail on how ECC was used to secure the plain text and/or how they were encoded into numerical values for use in ECC's mapping phase.
Various proposed systems have enhanced key elements of the encryption process in ECC, but gaps have been identified in the literature. For instance, schemes proposed in [48][49][50] employ ECC without providing sufficient detail about how the plain text was encoded and mapped onto an elliptic curve. Therefore, enhancing these schemes tended to focus on performance rather than security. Similarly, [51][52][53] provided efficient algorithms for scalar multiplication in ECC that speed up the multiplication process. However, many schemes focus on securing ECC, and they offer more insights into the approach used to encode plain text and map it onto an elliptic curve. The rest of this literature review focuses on these schemes and, in particular, on the question of how the plain texts are encoded into numerical values, in addition, how these values are mapped onto the elliptic curve.
Several schemes proposed ways to secure plain text by encoding the characters to numerical values, thus giving them the ability to be mapped onto the elliptic curve. Many approaches use these schemes to encode the plain text. For instance, using the ASCII table, each character is converted into its decimal number [26,[54][55][56]. In this case, the plain text "Hello" would be encoded to become "72" "101" "108" "108" "111". These values are then mapped directly onto the elliptic curve as cipher text. However, this approach falls under the chosen plain text attack (CPA). This is because the attacker has the power to decrypt the chosen cipher text (in this case, a commonly used scheme). For this reason, other schemes manipulate the ASCII table by multiplying it by a secure number that is agreed on by both parties [57].
Critically, the issue of sharing the secure number is similar to the challenge of agreeing on the sharing of a secure key between the two parties. Such a scheme could also fall under the CPA and CCA. Similarly, other schemes are based on different encoding approaches that rely on matrix-based methods to conceal the matching table [58]. Specifically, these schemes use secret mapping tables that are unknown to anyone except the recipient, and which are used to encode and decode the plain text in a secure manner. While this may be true, there are two weakness associated with this approach: first, the dilemma of how to secure the delivery of the matrix table to the recipient in a secure way, thereby preventing CPA; and second, it is known that if the matrix-table is assumed to be securely delivered, then the cipher text falls under the CCA. This is because the same encrypted characters are repeated for the same plain characters in each encryption process.
The third approach to overcome flaws in ECC involves Block Chaining operations. The first step is to divide the plain text into a set of fixed-size blocks. In turn, the first block of the plain text is XORed with an initial vector InV [59]. Following this, the result of the first XORed value is used for the second XOR operation with a second block, and the process is repeated for all plain text blocks. This is a good approach, but it is vulnerable to CPA and CCA when the plain text is divided into a set of blocks and all blocks are same (e.g., the plain text is a repeated character). As a result, the second XORing process results in the value of the InV as following InV ⊕ B 1 ⊕ B 2 = InV. This is because B 1 = B 2 . Therefore, the result of the XORing operation becomes B 1 , InV, B 1 , InV, ..., where B 1 = B 1 ⊕ InV. Additionally, this scheme lacks AE property, which increases vulnerability to cipher text tampering attacks and nonrepudiation issues.
Barman et al. [60] proposed an encryption method to secure IoT communications informed by DNA-based ECC. For each set of characters in the plain text, a DNA genome sequence is mapped to it. There are many genome sequences publicly available, and so randomizing the selection of genome sequences is part of the encryption process for the plain text. Furthermore, the decryption process should use the same DNA genome sequences. Therefore, both parties, the sender and the recipient, must use the same sequences before encrypting and decrypting the plain text. For this reason, the DNA genome sequences should be securely used only by the sender and recipient. If an attacker discovers the sequence, the scheme will be vulnerable to encryption attacks such as CPA. Additionally, even if the sequence is delivered securely, the cipher text will be the same for each repeated plain text encryption process. Resultantly, the scheme is also vulnerable to other encryption attacks, including CCA.
Duarah et al. [61] introduced Securing IoT Using Machine Learning and ECC. In their scheme, the authors first classified the data set to enhance the transmitted data, where the accurate data were transmitted only to reduce computation efforts. If the data were clean, then they were moved into a second stage, namely encryption via ECC. However, if the data is malicious then it is discarded to save the encryption computation efforts. In the encryption phase, the authors wrote the key generation algorithms that use the ECC scalar multiplication operation δ = (P) * (d) s.t. P is a point in the elliptic curve, and d is the private random integer. In their encryption algorithm, the authors defined how the shared key is constructed in order to encrypt the plain text by the addition operation between the plain text and the shared key. Although the scheme produced a new strategy for performance enhancement in the IoT environment by limiting data transmission only to clean data, the security analysis indicates that it is vulnerable to CPA when the same data are encrypted and sent using the same scheme.
Joglekar et al. [62] proposed Lightweight ECC for Data Integrity and User Authentication in Smart Transportation IoT System. In their scheme, the authors use One Time Password (OTP) to exchange the shared key securely to prevent the man in the middle attack (MITM). The 4-digit OTP is encrypted using ECC and transmitted to the recipient to complete the registration process. The shared key between the two parties is constructed as follows: are private keys for Sender A and Recipient B, respectively. Similarly, Q B = d B G and Q A = d A G are the public keys for Sender A and Recipient B. Using OTP to prevent the MITM is a good approach, but the authors neglected to state whether there is an assumption about the 4-digit OTP. It is relevant that the brute force attack needs 10 4 = 10, 000 possible choices to break the OTP, which can be completed in several minutes. Furthermore, the authors did not state how to encrypt the OTP or how to map it onto an elliptic curve.
Finally, Das & Giri [55] proposed two encoding algorithms, which generate sets of numerical values via the sum of weight n with base b IntegerDigits[n, b] − 1. The first encoding algorithm is used when the value of the base b is a dynamic integer. In this case, the highest accepted value is 65, 536 (i.e., the highest value of ASCII table). In addition, n is the size of the prime field, where the authors suggest the use of a 192-bit key. Resultantly, the set of groups that can be combined based on their method is IntegerDigits[192bit, 65, 536] − 1 = 11. The base b can be reduced below 65, 536, which increases the set of groups more than 11 based on b. However, the reduction of b should also contribute to a reduction in ASCII table mapping, and the authors did not provide a safe reduction mechanism. When b is not dynamic in the second algorithm, the suggested set of the combing group is equal to IntegerDigits[n,b]−1 . Based on the scheme described by the authors, it is 58−1 11 = 6, and the number of groups based on both algorithms is small. Thus, the computation overhead will increase compared to other schemes. Notably, the encoding and mapping phases did not manipulate the plain text characters after using the ASCII table values, which heightened the scheme's vulnerability to CPA.
All schemes in the literature are vulnerable to CPA and/or CCA, such that the encryption of the same plain texts always produce same cipher texts. Besides, these schemes use the appending method in the mapping phase which results in increasing the computation overhead. Although, some schemes that use the probability method to map points to EC failed to justify the chosen value of k. Moreover, many of the existing schemes fail to offer secure AE scheme, which means they are vulnerable to tampering attacks. An attacker can modify the transmitted cipher text without detection by the receiver. The cipher text offers confidentiality only; it does not offer integrity by itself. Therefore, to prevent tampering, to maintain the integrity of the cipher text, to ensure that the transmitted message is secured against encryption attacks, and to enhance the mapping phase performance, the proposed scheme ensures the AE property, resists CPA and CCA, and enhances the mapping phase performance.

The Proposed Scheme
The proposed scheme contains nine phases: initializing system parameters; converting the plain text message into numerical values (encoding); finding the mapping points on the elliptic curve; encrypting the mapped points; signing the aggregated mapped points as cipher text; and finally, undertaking the reverse of the previous phases by verifying and decrypting the received cipher text, decoding the mapped points, and converting the mapped points into plain text.
This study's main contribution is to offer a secure and efficient encryption scheme in the form of ECC. It facilitates secure communication by creating a shared key for a group of parties, which they can use to secure their shared messages. Notably, shared key creation is undertaken in the first phase, and many recent studies neglect to highlight the importance of having a shared key between parties for shared message encryption. In addition, this study provides a secure and enhanced method to encode and map plaintext to EC. Therefore, this study focuses on the three phases that start the ECC because it constitutes a major feature of any system for securing group communication (e.g., IoT environments). Figure 2 shows the nine phases of the proposed scheme.

Generating System Parameters
The aim of this phase is to generate the parameters needed to secure communication between all parties by setting up public and private keys. This phase contributes to the creation of the shared group key gk sh , which is used to encrypt the message shared between group members. The notations that the system generates, which are used for each session in the proposed scheme, are illustrated in Table 1.
Hash function used only by edge nList Node list containing references and Cipher text (all encrypted points) ⊕ XOR used in mapping phase to secure mapped points + Addition operation used in ECC to encrypt mapped points with gk sh It is important for the edge to create and maintain the shared group key k sh . This enables the parties to decrypt cipher text effectively. Therefore, edge creates the initial k sh using its H 1 (id edge ) and PRK. The key generation process is illustrated in Algorithm 1.
Algorithm 1: Edge algorithm for generating initial shared group key k sh . Input: id edge ; H 1 ; PRK Output: k sh In a similar way, for every new node that joins the group, k sh is updated by the following Equation (2).
To maintain the forward and backward secrecy, it is important to ensure that all new nodes that join cannot decrypt the cipher text sent before it joined the group using k sh . Similarly, any nodes that leave the group cannot decrypt the cipher text sent after their departure. To achieve this, the proposed scheme allows each node to perform certain operations to maintain k sh .
For a new node to join the group, the edge sends the joined node hashed ID H 1 (id ni ) to all current nodes. In turn, each node adds the hashed ID to its node list nList, and it simultaneously updates k sh using Equation (2). Similarly, the edge updates its k sh using the same equation. In turn, the edge sends k sh to the newly joined node, along with a list of all hashed IDs of existing node (with the exception of the hashed ID of the new node). Figure 3 illustrates this process, and Algorithm 2 describes the steps required to perform the joining process. Similarly, when the current node leaves the group, the edge sends its reference ID to all currently joined nodes, and each node updates k sh using Equation (2). At the same time, the corresponding hashed IDs are removed from the node list. Additionally, the edge updates k sh using Equation (2), and it removes the corresponding hashed ID from its node list. Figure 4 presents a sequence diagram illustrating the process, and Algorithm 3 describes the steps required to perform the leaving process.  This study extended the encoding and mapping mechanism steps proposed in [63]. As described in related work, a security flaw exists in the study's encoding process. The main encryption flaw associated with the encoding and mapping phases in ECC stems from the fact that using the same encryption scheme produces the same ciphertext. As such, by analyzing the ciphertext, the adversary can gain important information about the plaintext. To illustrate this flaw, Figure 5 shows how the same letter is encoded with the same value every time. Thus, the corresponding ciphertext of the encoded value is transformed into the same ciphertext value each time, which allows the adversary to distinguish between the set of ciphertexts to extract the plaintext, as shown in Figure 6.  Every scheme discussed in this study's literature review in Section 2 is vulnerable to an encryption flaw. Therefore, the study provides an improved encoding process to overcome this flaw by dividing the plain text into a set of blocks denoted by B. Then, the characters of each block B are counted, denoted by N, which can be calculated as follows: It is worth noting that 8 is subtracted from p to allow a maximum of 8 bits in terms of the padding bits used in the mapping phase. Therefore, in the proposed scheme, we can determine the value of N as follows: In a similar way, the number of blocks B needed in each plain text, denoted by the number of characters M, is determined by the following equation: The to divide the plaintext to this length is because every block B must be mapped to the 192-bit ECC (field size 192). As discussed previously, 8 bits in every block are reserved for the mapping phase, in which they serve as padding bits to secure the number of rounds required to find the mapping points for each block. Figure 7 illustrates the process needed to convert the plain text M into set of blocks. Sender : obtain the B i = B i + ASCI I(c j+((i−1) * N) ); Following the conversion of M into a set of blocks, the next critical issue is to ensure that the blocks are secure against encryption attacks (e.g., CPA and CCA). Therefore, the Cipher Block Chaining (CBC) was used to make the blocks resistant to such attacks. Figure 8 shows the process of ⊕ the blocks to increase their security.  Mapping a point to an elliptic curve means that (x i , y i ) satisfies Equation (1). Therefore, it is important to find the value of y i corresponding to x i for each point. Every secured block is converted into a decimal value, and these values are then mapped to the elliptic curve generated in the first phase to find the corresponding value of y i . Figure 9 illustrates the steps involved in mapping the secured blocks to an elliptic curve.
Algorithm 6 outlines the steps involved in mapping the secured blocks to an elliptic curve. Sender : x i = x i + 1; 7 Sender : repeat the loop until f ind y i ; 8 Mapped points ← the results

Encrypting and Decrypting the Mapped Points
In many schemes, the assumption is made that the mapping phase is sufficient to secure the plain text and plays the encryption phase. However, this assumption is incorrect because the mapping phase to the elliptic curve means that these points belong to the generated elliptic curve and can benefit from the elliptic curve discrete logarithm problem (ECDLP). In our proposed scheme, we encrypt these points by adding them to gk sh . Figure 10 illustrates the process for encrypting the mapped points. The algorithm used to secure the transmitted message using the shared group point gk sh is given below. The remaining phases constitute a reversal of the previous phases. Therefore, the secured points are decrypted, and the recipient subtracts them with gk sh . As illustrated before, all parties have the same shared group point gk sh , which is used to encrypt and decrypt the messages. In Figure 11, an illustration of how to decrypt secured points is given.

Decoding and Converting the Decrypted Points into Plain Text
The next phases are concerned with completing the previous phase, which focus on decoding and converting the decrypted points into a plain text M. There are two pairs on each set of these points, denoted x i and y i . It is worth noting that y i is used in two phases only: the encryption and decryption phases. In these phases, the values are used to add and subtract two points on the elliptic curve. Therefore, in this phase, we are only concerned with x i , that represent the binary values of the characters in the plain text. The process that describes the decoding phase is illustrated in Figure 12. Finally, the binary values obtained in the previous phase are converted into their corresponding characters. These binary values represent the plain text message M, and so they need to be converted into their ASCII values. The conversion process is illustrated in Figure 13.

Signing and Verifying the Encrypted Message
The intention of AE schemes using the encrypt then sign approach is to transmit messages between parties without compromising confidentiality, security, and integrity. In the proposed scheme, confidentiality (encryption) is maintained by the previous phases. Thus, to assure integrity (sign), the sender signs the message using his or her private key d s , which relies on ECDSA. The message M sent consists of a set of tuples, which contain the encrypted points C M and InV, the timestamp t o , and a random signature integer k. The signing process is illustrated in Figure 14. The receiver of a signed message verifies it using the sender's public key. The verification process is illustrated in Figure 15. Algorithm 12 outlines the steps involved in verifying the integrity of the received message using the sender's public key.

Security Analysis and Performance Evaluation
Every scheme discussed in this study's literature review is vulnerable to an encryption flaw. For instance, the encryption schemes presented in [55,[60][61][62] produce the same cipher text when repeated several times, as outlined in Figures 16 and 17.
These schemes suffer from an encryption weakness because they offer the same cipher text if the sender encrypts the plain text using the same encryption key. The main factor that underlies this flaw is that the encryption process in these schemes neglects to consider the importance of manipulating plain text before encrypting and decrypting it. This ensures that a distinct cipher text is produced for every encryption process. Therefore, in the absence of a manipulation step, the adversary can learn from the cipher text, determining whether certain cipher texts are the same or different.
In the scheme proposed by [59], this flaw is resolved by using XOR with InV. Figure 18 shows that the cipher text outputted from the encryption process is different to the cipher text generated by the process depicted in Figure 19, which uses the same plain text. However, these schemes are vulnerable to the same flaw, particularly in the special cases outlined in Figure 20. This flaw occurs when the blocks divided for XOR with InV are equal to B 1 = B 2 = B 3 = ... = B n . In this case, B 1 = InV ⊕ B 1 , , and so on. Therefore, in the event that all blocks are the same, an attacker can exploit the encryption flaw because XOR with InV operations become:     Based on the flaws identified in existing schemes, it is a valuable contribution to the literature to improve the encryption process with CBC. In the proposed scheme, all previous flaws are resolved by using CBC with InV derived from mapping points to secure the cipher text in all forms, as described in Algorithm 5. The encryption operation generated by the optimized encryption process is illustrated in Figure 21.

Indistinguishability under Chosen Plain Text Attack IND-CPA
A scheme known as IND-CPA if the adversary has the power to submit as many m i,0 , m i,1 i = [1, 2, .., q] as desired and also when he or she receives the cipher texts for each message. Then, the adversary must submit two distinct messages, m 0 and m 1 , where |m 0 | = |m 1 |, to the encryption oracle, receiving c ← Enc(k, m b ). This is illustrated in Figure 22. The challenge is that the adversary is required to guess the value of b with a probability of the following: Thus, schemes proposed in [55,[60][61][62] are insecure under CPA. An adversary can win a challenging game by submitting two identical messages, m 0 , m 0 , to the encryption oracle. In turn, the encryption oracle sends the cipher text c 0 , which is the cipher text for m 0 . In an experiment, the adversary sends two messages, m 0 , m 1 where |m 0 | = |m 1 |, and the encryption oracle responds by encrypting one message and sending one cipher text c b . The adversary is then challenged to guess the value of b = 0 or 1, and to determine which cipher text belongs to m 0 or m 1 . However, the adversary can win the challenge with Adv I ND−CPA [A, E] = 1. This is because the encryption oracle in such schemes always encrypts the same messages with the same cipher texts and the same key. Therefore, since the adversary already has c 0 , he or she can determine whether the value of b is 0 or 1. This is achieved by matching c b with c 0 . If c b = c 0 , then b = 0; otherwise, b = 1. This process is illustrated in Figure 23. Theorem 1. The proposed scheme is (IND-CPA) such that the probability of the adversary to decrypt the message in the two experiments is negligible, as written in Equation (7).
Proof. This theorem is proven by the fact that the proposed scheme uses a different value of InV for each experiment. Hence, the adversary can submit as many messages as he or she wants to the encryption oracle. The cipher texts generated by the experiment will not be the same, even for the same message. For example, in the second experiment, InV in EXP(0) was different compared to InV in EXP(1). Therefore, when the adversary submits the same message m 0 , m 0 in EXP(0), he or she will receive the corresponding cipher text in that experiment, which is c 0 . However, when the adversary moves to EXP(1) where the encryption oracle challenges the adversary, the two messages submitted by the adversary m 0 , m 1 are not distinguishable. This is because the cipher text from m 0 in EXP(1) is different from the cipher text from the same message m 0 in EXP(0). For this reason, the probability that the adversary wins the challenge is Adv I ND−CPA [A, E] = 0 Let Π = (Gen, Enc, Dec) be an ECC encryption scheme, and let us define the experiment between the challenger and the attacker A as follows: where k is the key size: 1.
The attacker A submits 1, 2, ..., q queries to the challenger to encrypt a plain text of their choice 3.
The attacker A sends two messages (m 0 , m 1 ) for the challenger to encrypt 4.
The attacker A outputs the value b = 0 or b = 1, and A wins if the probability of A guessing a correct value is not negligible Consider the following games: The attacker A makes a request for encrypting a message (m 0 ), and receives (c 0 , InV) ← Enc(PU, (m 0 ⊕ InV)).

Game (1)
The attacker A sends two messages (m 0 , m 1 ), where m 0 is the same m 0 as in game 0. The challenger outputs (c b , InV ) ← Enc(PU, (m b ⊕ InV )) to challenge A to guess the value of b.

Game (3)
The attacker A returns the value of b based on the comparison he or she can perform to distinguish between (m 0 , m 1 ), which relies on game 0 and 1. However, the probability that A achieves this is 0 because the c 0 ← Enc(PU, (m 0 ⊕ InV)) in game 0 is not the same as c 0 ← Enc(PU, (m 0 ⊕ InV )) in game 1. It is also relevant to note that the XOR operation in both games is undertaken with different IV.

Indistinguishability Under Chosen Ciphertext Attack IND-CCA
An encryption scheme is IND-CCA if the adversary has the ability to submit as cipher texts as he wants c i,0 , c i,1 i = [1, 2, .., q] and to receive the plain text for that cipher text. In addition, the adversary submits any two distinct messages m i,0 and m i,1 , where |m i,0 | = |m i,1 | to the encryption oracle and receives c ← Enc(k, m b ). This process is depicted in Figure 24. The challenge is that the adversary is required to guess the value of b to differentiate between the two experiment's games, with probability as follows: With the above in mind, the scheme proposed in [59] is not secure under CCA. The adversary can win the challenging game by submitting two messages, m 0 , m 1 , to the encryption oracle. In turn, the encryption oracle sends the cipher text c ← E(k, m b ) = (InV, c b ), which is the cipher text for either m 0 or m 1 . Subsequently, the adversary modifies c by XORing InV with R, where R = 0. This produces c = (InV ⊕ R, c b where c b = E(k, InV ⊕ m b , which is sent to the decryption oracle for decryption. The decryption oracle responds by decrypting the cipher text D(k, c ). This process relies on the modified InV ⊕ R. The result is that the decryption process is Consequently, an adversary can guess the value of b = 0 or b = 1 by XORing m b ⊕ R, after which it can be compared directly with the received message m b . Therefore, the adversary can win the challenge with Adv I ND−CCA [A, E] = 1. This process is illustrated in Figure 25. Proof. The proof for Adv CCA [B 1 , E] starts by noting the adversary's ability to access both the encryption and decryption oracle. At the same time, the adversary cannot submit c i received from the encryption oracle and then submit it for decryption to distinguish the experiment game. However, the adversary can modify the received c i ← E(k, m i ) and submit it for decryption as the modified c i = c i . Thus, the adversary can win the challenging game by XORing InV with a random R, thereby guessing m i (see Figure 25). The proposed scheme offers integrity to cipher texts. It also protects transmitted cipher texts from tampering. Therefore, the decryption oracle drops any modified c i , meaning that the oracle responds to the adversary with ⊥ ←< InV ⊕ R, c i ) > for every modified message, as illustrated in Figure 26. Resultantly, the proposed scheme is negligible under Equation (8)  Let Π = (Gen, Enc, Dec, Sign, Ver) be an ECC encryption scheme, and let us define an experiment between the challenger and attacker A as follows: where k is the key size: 1.
The attacker A submits 1, 2, ..., q queries to the challenger to decrypt their chosen cipher text 3.
The attacker A sends two messages (m 0 , m 1 ) to the challenger for encryption 4.
The attacker A outputs the value of b = 0 or b = 1, where A wins if the probability of guessing A correctly is not negligible Consider the following games: The attacker A makes a request for encrypting a message (m 0 ), and receives (c 0 , InV, Sign) ← Enc(PU, (m 0 ⊕ InV)).

Game (1)
The attacker A modifies the cipher text from game 0 (c 0 , InV, Sign) to XOR the InV with a random value R = 0. A request is made for the challenger to decrypt the cipher text (c 0 , InV ⊕ R, Sign).

Game (3)
The attacker A can compute the plain text from (m b ⊕ InV ⊕ (InV ⊕ R)) ← Dec(c 0 , InV ⊕ R, Sign), which results in (m b ⊕ R). In this case, A can compare (m b ⊕ R) with (m 0 ⊕ R) and (m 1 ⊕ R). However, A will fail to win because the challenger will discard the modified (c 0 , InV ⊕ R, Sign). This stems from the fact that Sign is invalid, meaning that probability of the success of A is 0.

Malleability Attack
Changing encrypted data can lead to the modification of the plain text after decryption, which is known as a malleability attack. For instance, the attacker modifies the InV with the value of 1, which means that the first block of the plain text message will be XORed with 1. As a result, the reset of blocks in the CBC will also be modified. The steps involved in the malleability attack are depicted in Figure 27.  Proof. It is known that an adversary can eavesdrop on the messages sent between the two parties. Adversaries can also change messages and return them to either party. However, the recipient checks the received message's integrity before decrypting the cipher text. Therefore, the recipient ignores the received message because it has an invalid signature. An illustration of this proof is given in Figure 28  A security analysis comparison was undertaken between the scheme proposed in this study and others mentioned in the literature (see Table 2).  Barman, [60] N N N N N O(n log n) n N Joglekar, [62] N N N N N N/A N/A N Muthukuru, [59] Y N N N N O(n log n) n N Duarah, [61] N N N N N O(n log n) n N Das, [55] N

Performance Evaluation
The main goal of the proposed scheme was to provide a secure scheme that resolved encryption flaws that yield to CPA and CCA attacks. The study also sought to offer a scheme with a suitable level of performance in constrained environments. The security aspect of the proposed scheme was proven in the previous section, and this section evaluated the performance of the scheme based on two criteria: enhancing the process of mapping points to an elliptic curve; and time, space overhead, and power consumption in a simulation environment.

Mapping Points to an Elliptic Curve
Mapping points to an elliptic curve should be undertaken correctly and efficiently. As illustrated in Figure 29, 50% of x i points cannot be mapped to the EC as there is no y i axis that meets the EC's equation. Therefore, it is necessary to increase the value of x i by 1, and then to recompute y i until a value is found that matches. As a result, the x i point is eventually mapped. In many schemes, the characters in plain text are converted into numerical values based on the ASCII table, which facilitates their mapping onto the elliptic curve. Therefore, when these values are not mapped from the beginning, the value to be mapped increases. However, this step changes the original value, and the plain text is lost. For this reason, to overcome this problem, two methods are widely used to map points: the probability method and the appending method. In the probability method, which was introduced by King (2009) [64], the value of k is defined, which represents the number of rounds needed to map the points. This value is multiplied by x i , and the product is used in the mapping phase with ability to increment it in k rounds. In turn, the value of x i can be restored by calculating the value of the mapped point: In the second method, the appending method, x i is appended by number of bits representing the number of rounds required. For instance, if the scheme defines the appended bits as 000, then the number of rounds that can be safely used in the mapping phase is 2 3 = 8 rounds.
Each method has advantages and disadvantages relating to computational efficiency and the maximum number of rounds. The probability method is more efficient and less complex than the appending method. Using the Harvey-Hoeven algorithm [65], the multiplication operation complexity is O(n log n), where n is the numerical value size in bits. However, the complexity of appending two texts (i.e., concatenations) is denoted as O(n 2 ) [66], which highlights the fact that the appending method is more complex than the probability method. This is illustrated in Figure 30. The appending method guarantees to provide a maximum number of rounds base on the appended bits. As the appending methods concatenate fixed bits b to the corresponding binary x i value, x i can be incremented 2 b times. In contrast, the probability method increases the same size of bits, but in many cases, it would allow fewer round increments compared to the appending method. This is outlined in Figure 31. In the proposed scheme, the probability method was used to improve performance. Hoevewr, to increase the efficiency of the choice of k, the proposed scheme took advantage of the appending method to select this value. This was achieved by recalculating k = 2 logk , which was used to set the number of rounds to the maximum value of the extra bits added to the value of x i , as shown in Figure 32. The enhancement made to the probability method increases the number of mapping rounds with same size of the padding bit. As a result, the efficiency was more than 80% in some cases. Figure 33 shows the percentage of improvement that the proposed enhanced selection of k method offers compared to the probability method.

Simulation Performance Evaluation
The performance evaluation of the proposed scheme focused on whether the enhancement of the encoding and mapping phases, which was intended to improve resistance to encryption attacks, negatively affected performance. Therefore, the performance of the proposed scheme against other schemes took place to evaluate time overhead, space usage, and power consumption. The schemes are divided to three groups: schemes that did not use InV or any other methods to manipulate the mapped points as [55,[60][61][62]; schemes that used fixed InV to overcome CPA, including [59]; and finally, schemes that used CBC to overcome the CCA (in this case, only the proposed scheme).
The performance evaluation involved running an experimental simulation 5 times for 20 s each using a low computation device. Figure 34 illustrates time overhead in the three groups included in the performance evaluation. Notably, all three groups were associated with similar levels of utilization. Therefore, it is reasonable to conclude that improving the security of the proposed scheme did not affect the time overhead. Space usage variation was identified during the experiment, as illustrated in Figure 35. Additionally, power consumption for each group was determined based on values (high, medium, low, or none), which are shown in Figure 36. The results indicate that power consumption was similar across the three groups.   It is worth mentioning that, the proposed scheme was simulated, tested and compared to the state of the art schemes in a simulated environment using an Android Virtual Device (AVD). AVD has variety of low computation devices images built by Android OS, and it provides processing space and power consumption monitoring and logging. In addition, we used the Bluej Java Development Environment to code the proposed scheme. The platform used to host the AVD is based on Windows 10, and, in terms of hardware, an Intel Core i7-4510U was used with a 128GB SSD and 8GB RAM.

Conclusions and Future Research
This study proposes a novel approach to elliptic curve cryptography (ECC) that offers AE properties to secure cipher text and to enhance the encoding of text effectively and map the encoded text to an elliptic curve. Previous schemes neglect to consider the importance of the encoding phase, which makes them vulnerable to attack. Therefore, this study focused on the encoding phase, seeking to secure it against several encryption attacks, including CPA, CCA, and malleability attacks. This study also undertook a security analysis to present a proof for the resistance of the proposed scheme against specific encryption attacks. Additionally, the study conducted a performance evaluation to compare the impact of the security enhancement of the proposed scheme on time overhead, space usage, and power consumption to other schemes. The simulation experiment shows that the proposed scheme performed just as well as the other schemes, with no noticeable increase in computation overhead. As a result, the proposed scheme outperforms the security of other schemes and maintains the same computational overhead.
In future research, the authors intend to implement the proposed scheme in different environments such as enhance the protection using TPM-based for mobile agents. Moreover, adapt the scheme in Monitoring the cloud computing architecture to enhance Dynamic Security Properties. In addition, apply the proposed scheme with Policy Based Management to increase the Security of Cloud Computing. These application of proposed scheme lead to study the security analysis and performance evaluation in comparison with other similar schemes. Additionally, more security properties may be added to the study to increase the security requirements, which might be required in new environments.