Hybrid AES-ECC Model for the Security of Data over Cloud Storage

Reviewer 1 (major issues)

The structure of the paper is strange. The reviewer think that the proposal is to build a secure cloud service by combining AES and ECC. However, Fig. 4, which is the proposal, is a common configuration and not novel. Also, it does not show that it can prevent the attacks pointed out by the authors. Figure 4 is not divided into entities such as upload user, download user, server, etc., and is not a diagram that can be used to discuss the security level. The authors should properly explain the novelty of the proposed method.

The structure of the paper is revised. A new section i.e., Section 3.1 is added which also explains the paper flow with the help of a methodology diagram. Moreover, Figure 4 is now updated. It can be observed that how the proposed scheme differs from a normal encryption technique. The details have been elaborated in the Lines 318-319 on Page 12 of the main file. A preview of the Figure 4 is provided in appended text. Following text has been added in the main file.

“Attack prevention can be done in the following way. For example, if attacker wants to attack on user side, in order to gain user personal information or for some other purpose; in the proposed approach, once the user upload the input file, file is converted into encrypted text with the help of AES Encryption, now the text is fully encrypted. So, if in a case attacker performs attack and somehow get the user uploaded file, then it’s useless because information is already encrypted on uploading. Similarly, on the other end, if attack performed, attacker is not able to decrypt the encrypted file and hence the data is secured from attacks.”

Also in the Fig.4, now the division of entities can be clearly seen like upload user and download users are now mentioned properly.

“Novelty of the proposed method can be seen in the new proposed diagram, in which secure transmission of user data to server and then storage mechanism is even secured due to encrypted data. Also, novelty can be determined in terms of computational cost and time.”

Quoted descriptions are also added in the main file as well in the lines 321-331 in Page 13 of the main file.

Since the idea of combining ECC and AES is not new, it seems that the authors need to discuss how to combine or implement them to achieve higher speed. However, the comparisons in Fig. 5 and Fig. 6 seem to only list the existing cryptographic algorithms and compare their performance. Therefore, it does not seem to be a fair comparison since there is no discussion on the data size when constructing the system.　The authors should compare the performance against something close to the proposed system.

Explanation of Fig. 5 and Fig. 6 is now updated for comparing the performance fairly. Following text has been added in the main file.

“Figure 5 and 6 shows comparison of the encryption and decryption time of the data with different cryptographic algorithms. Hence, the results are prominent that the Hybrid ECC-AES approach takes less time to encrypt and decrypt data than the existing approaches. Also, the hybrid ECC-AES algorithm has characteristics of both algorithms which provides higher security by increasing the complexity and makes the system strong against attacks. It can also be clearly seen that encryption and decryption time for proposed Hybrid Algorithm is much less as compared to other algorithms. As the time for encryption and decryption is reduced, so as our computational cost also reduced, which is very effective. Hence, our proposed approach works efficiently than others. The evaluation of our proposed scheme is based on encryption time, and decryption time.”

Same description is added in the main file on lines 400-409 in page 17 of the main file as well below Fig. 5 and Fig. 6.

Added Data Size section in Section 4, under sub-heading 4.3 in lines 384-391 on page 15 of the main document. Following is the newly added text.

“We take 3 different images datasets for the comparison of our proposed method with other existing schemes because images usually take more time than the text data, so we want to check the computational cost as well as time required to complete the Encryption and Decryption of the images.  Reason for taking different datasets is to compare performance in multiple scenarios. Size of datasets on which experiments are performed is 3233, 4830, 6308 respectively. We take three different dataset sizes for ensuring our proposed scheme works efficiently in each one.”

Above same description is also added in the Data size section as well.

We also compare our proposed system with one of the closely related system i.e., AES and Blowfish. Comparison can clearly be seen in Fig. 4 and Fig. 5.

This comment related to item 2. Why single AES is slower than Hybrid method? Hybrid methods include single AES. This does not seem to be correct. The authors should not only present the data but also the comparison conditions. As it is, the reader cannot judge whether the data is correct or not.

Yes

“It’s true that single AES is little bit slower than the Hybrid (AES-ECC) method due to its large key size, while Hybrid method allows reduced key size as well as faster security mechanism for securing the data. Another reason is that small key size is the main property of ECC, and when AES uses ECC for encryption, key size is reduced and hence performance is increased.”

Quoted description is also added in the main file in lines 305-310 on Page 12 of the main document.

Wording is strange. What is Elliptical curve. ECC is Elliptic Curve Cryptography. The author should check and update usage of technical term. Some word is difficult to trace. For example, what is hybrid method? Is it proposed one? The author should read related paper which cited by many papers and use same way to show your proposed method.

Elliptical curve is now abbreviated to Elliptical curve cryptography (Line 20, Page 1). Description about important words is now abbreviated correctly.

“Hybrid method is the proposed AES-ECC method. Main reason for combining AES with ECC is to reduce the key size of the data by not compromising the security of the system.”

 Added explanation in the main file at page 17 in lines 397-399. Also, Hybrid method is now described in Introduction section of the paper in lines 62-68 on page 2 of the main file.

As mentioned in the paper, Chen et.al proposed AES-ECC approach first time, for increasing the system security. We read few papers of Chen et.al, to check the method for showing our best and made all possible changes accordingly.

It seems very low-quality figures. The resolution of each entity and organization of figures don’t support the understanding of proposed method.

Some figures in the paper are now updated. We tried to improve the figure quality by importing them directly into the Word file instead of pasting.

Figure 1, Page 4, Line 105

Figure 3, Page 5, Line 134

Figure 4, Page 11, Line 318

Reviewer 2 (major issues)

Please briefly discuss AES and justify the importance and the hypothetic advantages of the proposed method (combining the ECC and the AES). In other words, please explain why we need this new method to ensure authentication given that many existing data security methods have been developed recently. 

“AES is based on the Symmetric key Encryption algorithm, which was developed for the replacement of Data Encryption Standard (DES) and is much faster than the DES because AES contains 128-bit key size whereas DES contains 64-bit key size.

Hypothetic advantage of the proposed method i.e., Hybrid Method (AES-ECC) is maintaining the security of the system over cloud storage efficiently.  Main reason for using this Hybrid approach is to reduce the key size of the data while maintaining the security of the system efficiently in less time. 

Although, many authentication methods exist, however, computational overhead cost and time is not aimed to minimize. In the proposed research, our focus is to make an encryption technique which is less computationally expensive for cloud environment.

All the above details are also added in the Introduction section in Page 2 on Lines 51-55, 62-68 respectively.

The need of the AES along with its justification is now provided in the Introduction section. Moreover, the need for authentication forms part of the paper.

I cannot find any citations in Section 1. Please go through this section again and add citations to support your arguments. 

Four new references i.e., [1], [2], [3] and [5] have been added in the Introduction section for supporting arguments in the lines 52, 58, 59 and 87 respectively.

Related Work. Please justify the originality of this paper since the AES-ECC method was firstly proposed by Chen et al. (2021) (line 123).

The main difference between Chen et al. work and the proposed work is the key size. Secondly, a reduced key size which can lower the computational cost over cloud environment and takes less time than existing security schemes. This is our main contribution and the required details are provided at the end of Page 2 in the main file.

Methodology. Please add a section to describe and discuss the methodology

Methodology section is added in Section 3 of the paper, under subheading 3.1 Research Methodology.

“Below is the research methodology that we followed for this paper:

Firstly, we studied about many existing security schemes and find their limitations for comparing their performance and find out drawbacks in existing schemes. After finding Limitations, we found that computation overhead cost for all schemes is larger and so as the time. Hence, we proposed our new Hybrid approach i.e., AES-ECC for addressing all these limitations. Experimental setup is created for our proposed hybrid scheme and comparison can be done with other methods and hybrid scheme as well. We found that our proposed hybrid scheme outperforms other security schemes in terms of performance and efficiency.”

All the above description along with flowchart is added in the Proposed framework section in Page of Lines 277-302 on page 11.

Along with the paper methodology, we also updated figure for Proposed scheme methodology is included in Section 3.2

All the above description along with diagram is added in the Proposed framework section at Page 12 on line 318.

Reviewer 2 (minor issues)

Line 23: Please change "AES" to "Advanced Encryption Standards (AES)"

Line 42: change "ley" to "key"

Line 44-53: in addition to symmetric key encryption, please briefly discuss asymmetric key encryption.

“Asymmetric key encryption is also known as Public-key cryptography. It contains a pair of keys i.e., Public and Private keys for Encryption and Decryption of the message.”

Description added for Asymmetric Key Encryption in the Introduction section. (Page 2, Line 45,46)

Line 55: Missing a parenthesis 

parenthesis added (Page 3, Line 73)

Line 247: Missing a period. 

Period added (Page 3, Line 87)

Please check the indent throughout the article.

Indentation completed

Line 300 and 302 (titles of the figure). Please keep the capitalization consistent.

Titles of the figures are now consistent. (Page 16, Line 394, 396)

Professional proofreading is highly recommended. There are serval formatting and language issues throughout the paper. 

Several additional changes were made in the document, also formatting issues are now resolved.

Reviewer 1 (major issues)

The structure of the paper is strange. The reviewer think that the proposal is to build a secure cloud service by combining AES and ECC. However, Fig. 4, which is the proposal, is a common configuration and not novel. Also, it does not show that it can prevent the attacks pointed out by the authors. Figure 4 is not divided into entities such as upload user, download user, server, etc., and is not a diagram that can be used to discuss the security level. The authors should properly explain the novelty of the proposed method.

The structure of the paper is revised. A new section i.e., Section 3.1 is added which also explains the paper flow with the help of a methodology diagram. Moreover, Figure 4 is now updated. It can be observed that how the proposed scheme differs from a normal encryption technique. The details have been elaborated in the Lines 318-319 on Page 12 of the main file. A preview of the Figure 4 is provided in appended text. Following text has been added in the main file.

“Attack prevention can be done in the following way. For example, if attacker wants to attack on user side, in order to gain user personal information or for some other purpose; in the proposed approach, once the user upload the input file, file is converted into encrypted text with the help of AES Encryption, now the text is fully encrypted. So, if in a case attacker performs attack and somehow get the user uploaded file, then it’s useless because information is already encrypted on uploading. Similarly, on the other end, if attack performed, attacker is not able to decrypt the encrypted file and hence the data is secured from attacks.”

Also in the Fig.4, now the division of entities can be clearly seen like upload user and download users are now mentioned properly.

“Novelty of the proposed method can be seen in the new proposed diagram, in which secure transmission of user data to server and then storage mechanism is even secured due to encrypted data. Also, novelty can be determined in terms of computational cost and time.”

Quoted descriptions are also added in the main file as well in the lines 321-331 in Page 13 of the main file.

Since the idea of combining ECC and AES is not new, it seems that the authors need to discuss how to combine or implement them to achieve higher speed. However, the comparisons in Fig. 5 and Fig. 6 seem to only list the existing cryptographic algorithms and compare their performance. Therefore, it does not seem to be a fair comparison since there is no discussion on the data size when constructing the system.　The authors should compare the performance against something close to the proposed system.

Explanation of Fig. 5 and Fig. 6 is now updated for comparing the performance fairly. Following text has been added in the main file.

“Figure 5 and 6 shows comparison of the encryption and decryption time of the data with different cryptographic algorithms. Hence, the results are prominent that the Hybrid ECC-AES approach takes less time to encrypt and decrypt data than the existing approaches. Also, the hybrid ECC-AES algorithm has characteristics of both algorithms which provides higher security by increasing the complexity and makes the system strong against attacks. It can also be clearly seen that encryption and decryption time for proposed Hybrid Algorithm is much less as compared to other algorithms. As the time for encryption and decryption is reduced, so as our computational cost also reduced, which is very effective. Hence, our proposed approach works efficiently than others. The evaluation of our proposed scheme is based on encryption time, and decryption time.”

Same description is added in the main file on lines 400-409 in page 17 of the main file as well below Fig. 5 and Fig. 6.

Added Data Size section in Section 4, under sub-heading 4.3 in lines 384-391 on page 15 of the main document. Following is the newly added text.

“We take 3 different images datasets for the comparison of our proposed method with other existing schemes because images usually take more time than the text data, so we want to check the computational cost as well as time required to complete the Encryption and Decryption of the images.  Reason for taking different datasets is to compare performance in multiple scenarios. Size of datasets on which experiments are performed is 3233, 4830, 6308 respectively. We take three different dataset sizes for ensuring our proposed scheme works efficiently in each one.”

Above same description is also added in the Data size section as well.

We also compare our proposed system with one of the closely related system i.e., AES and Blowfish. Comparison can clearly be seen in Fig. 4 and Fig. 5.

This comment related to item 2. Why single AES is slower than Hybrid method? Hybrid methods include single AES. This does not seem to be correct. The authors should not only present the data but also the comparison conditions. As it is, the reader cannot judge whether the data is correct or not.

Yes

“It’s true that single AES is little bit slower than the Hybrid (AES-ECC) method due to its large key size, while Hybrid method allows reduced key size as well as faster security mechanism for securing the data. Another reason is that small key size is the main property of ECC, and when AES uses ECC for encryption, key size is reduced and hence performance is increased.”

Quoted description is also added in the main file in lines 305-310 on Page 12 of the main document.

Wording is strange. What is Elliptical curve. ECC is Elliptic Curve Cryptography. The author should check and update usage of technical term. Some word is difficult to trace. For example, what is hybrid method? Is it proposed one? The author should read related paper which cited by many papers and use same way to show your proposed method.

Elliptical curve is now abbreviated to Elliptical curve cryptography (Line 20, Page 1). Description about important words is now abbreviated correctly.

“Hybrid method is the proposed AES-ECC method. Main reason for combining AES with ECC is to reduce the key size of the data by not compromising the security of the system.”

 Added explanation in the main file at page 17 in lines 397-399. Also, Hybrid method is now described in Introduction section of the paper in lines 62-68 on page 2 of the main file.

As mentioned in the paper, Chen et.al proposed AES-ECC approach first time, for increasing the system security. We read few papers of Chen et.al, to check the method for showing our best and made all possible changes accordingly.

It seems very low-quality figures. The resolution of each entity and organization of figures don’t support the understanding of proposed method.

Some figures in the paper are now updated. We tried to improve the figure quality by importing them directly into the Word file instead of pasting.

Figure 1, Page 4, Line 105

Figure 3, Page 5, Line 134

Figure 4, Page 11, Line 318

Reviewer 2 (major issues)

Please briefly discuss AES and justify the importance and the hypothetic advantages of the proposed method (combining the ECC and the AES). In other words, please explain why we need this new method to ensure authentication given that many existing data security methods have been developed recently. 

“AES is based on the Symmetric key Encryption algorithm, which was developed for the replacement of Data Encryption Standard (DES) and is much faster than the DES because AES contains 128-bit key size whereas DES contains 64-bit key size.

Hypothetic advantage of the proposed method i.e., Hybrid Method (AES-ECC) is maintaining the security of the system over cloud storage efficiently.  Main reason for using this Hybrid approach is to reduce the key size of the data while maintaining the security of the system efficiently in less time. 

Although, many authentication methods exist, however, computational overhead cost and time is not aimed to minimize. In the proposed research, our focus is to make an encryption technique which is less computationally expensive for cloud environment.

All the above details are also added in the Introduction section in Page 2 on Lines 51-55, 62-68 respectively.

The need of the AES along with its justification is now provided in the Introduction section. Moreover, the need for authentication forms part of the paper.

I cannot find any citations in Section 1. Please go through this section again and add citations to support your arguments. 

Four new references i.e., [1], [2], [3] and [5] have been added in the Introduction section for supporting arguments in the lines 52, 58, 59 and 87 respectively.

Related Work. Please justify the originality of this paper since the AES-ECC method was firstly proposed by Chen et al. (2021) (line 123).

The main difference between Chen et al. work and the proposed work is the key size. Secondly, a reduced key size which can lower the computational cost over cloud environment and takes less time than existing security schemes. This is our main contribution and the required details are provided at the end of Page 2 in the main file.

Methodology. Please add a section to describe and discuss the methodology

Methodology section is added in Section 3 of the paper, under subheading 3.1 Research Methodology.

“Below is the research methodology that we followed for this paper:

Firstly, we studied about many existing security schemes and find their limitations for comparing their performance and find out drawbacks in existing schemes. After finding Limitations, we found that computation overhead cost for all schemes is larger and so as the time. Hence, we proposed our new Hybrid approach i.e., AES-ECC for addressing all these limitations. Experimental setup is created for our proposed hybrid scheme and comparison can be done with other methods and hybrid scheme as well. We found that our proposed hybrid scheme outperforms other security schemes in terms of performance and efficiency.”

All the above description along with flowchart is added in the Proposed framework section in Page of Lines 277-302 on page 11.

Along with the paper methodology, we also updated figure for Proposed scheme methodology is included in Section 3.2

All the above description along with diagram is added in the Proposed framework section at Page 12 on line 318.

Reviewer 2 (minor issues)

Line 23: Please change "AES" to "Advanced Encryption Standards (AES)"

Line 42: change "ley" to "key"

Line 44-53: in addition to symmetric key encryption, please briefly discuss asymmetric key encryption.

“Asymmetric key encryption is also known as Public-key cryptography. It contains a pair of keys i.e., Public and Private keys for Encryption and Decryption of the message.”

Description added for Asymmetric Key Encryption in the Introduction section. (Page 2, Line 45,46)

Line 55: Missing a parenthesis 

parenthesis added (Page 3, Line 73)

Line 247: Missing a period. 

Period added (Page 3, Line 87)

Please check the indent throughout the article.

Indentation completed

Line 300 and 302 (titles of the figure). Please keep the capitalization consistent.

Titles of the figures are now consistent. (Page 16, Line 394, 396)

Professional proofreading is highly recommended. There are serval formatting and language issues throughout the paper. 

Several additional changes were made in the document, also formatting issues are now resolved.

Reviews

Answers

In this revision, the information of key length suddenly appears.

The key length has been part of the paper since its first submission. However, it became prominent and vital in the revised versions when we received numerous rounds of revision. The respected reviewer suggested to make a performance comparison. We used the key length feature to highlight this. Moreover, we are using key length because it is important in any security algorithm.

The comparison of speed and cost efficiency must under same condition (in security field mostly used security level). Why authors compare with DES? Is this proposed method being same security level of DES? DES is very old and discontinue algorithm. 

We agree to the reviewer that DES is an old algorithm, however, it cannot be considered as obsoleted or discontinued as several well reputed and recent research papers [2][7][12][14] are still using DES for their proposed algorithms security and performance comparisons. Pls note that in this research we are not comparing the traditional architecture of DES. Furthermore, to satisfactorily answer the reviewer’s this comment, we add another comparison of our algorithm with base paper as well. The new comparison is provided in Figures 9 and 10 in the paper and their encryption and decryption time is now compared with Base Paper.

Figure 9: Comparison graph for encryption time in Hybrid and other existing algorithms using different key sizes

Figure 10: Comparison graph for encryption time in Hybrid and other existing algorithms using different key sizes

Here we can clearly see that our base paper values are also even fluctuating at different Encryption and Decryption times. However, our proposed algorithm outperforms the existing schemes.

DES has been the foundation of many algorithms. Many recent cryptographic algorithms still use DES for their comparisons.

Normally new combination of algorithms and key length parameter need security level proof. In security field, first priority performance is security level and then speed, silicon area, power should be compared.

In the paper, we updated the Table 8, and it clearly shows the security level of the proposed architecture, Updated table is attached below:

“

Table 8 shows the avalanche effect for the various encryption algorithms. The more the change occurring in the cipher due to a single bit change in key or the plain text more is the avalanche effect. Higher the avalanche effect, (as of our proposed algorithm is higher) it becomes difficult to break the algorithm. Hence, we can see that the proposed algorithm has higher security in terms of its Avalanche effect. Below here is the visual representation of the above table, where we can easily see that our proposed algorithm has higher security than other encryption algorithms.

Now we calculate Avalanche effect of the base line model and compare with our proposed hybrid method and other existing schemes as well.

”

We addressed the reviewer comments and have computed the power. The details are below. We are sorry, we did not understand what the reviewer means by “silicon area”.

From Table [6] & [7] of the paper, we can easily determine Power consumed in Watts also. Below here is the Power consumption table:

Table 1: Power consumption of Encryption time

Here is the power consumption of Encryption time in Watts, here we compared our proposed algorithm with DES.

Table 2: Power consumption of Decryption time

Here is the power consumption of Decryption time in Watts, here we compared our proposed algorithm with DES.

We updated and added 2 new tables in Power consumption section at page 29 of the manuscript. Tables are as below:

Table 3: Power consumption of Encryption time (Base Paper)

Here is the power consumption of Encryption time in Watts, here we compared our proposed algorithm with Base Paper.

Table 4: Power consumption of Decryption time (Base Paper)

Here is the power consumption of Decryption time in Watts, here we compared our proposed algorithm with Base Paper.