Securing Data Exchange with Elliptic Curve Cryptography: A Novel Hash-Based Method for Message Mapping and Integrity Assurance

: To ensure the security of sensitive data, elliptic curve cryptography (ECC) is adopted as an asymmetric method that balances security and efficiency. Nevertheless, embedding messages into elliptic curve (EC) points poses a significant challenge. The intricacies of this process can greatly affect the overall security and efficiency of the cryptosystem, reflecting security vulnerabilities observed in many existing schemes that utilize ElGamal ECC-based encryption. In this paper, we introduce an innovative hash-based technique for securely embedding messages into EC points before encryption. A random parameter and a shared secret point generated through the EC Diffie–Hellman protocol are used to bolster the scheme’s security. The security of the proposed method is evaluated against various attack models; moreover, the complexity, and sensitivity of the encryption scheme, as well as its inputs, are analyzed. The randomness assessment of the ciphertext was performed using the NIST statistical test suite. Additionally, we propose a mechanism to ensure the integrity of the message by securely appending a tag to the ciphertext. As a consequence, a comprehensive analysis of our scheme demonstrates its effectiveness in maintaining data security and integrity against various attack models. The algorithm also meets more criteria such as the strict avalanche criterion, linear complexity, and operability.


Introduction
During the first half of 2023, SonicWall Capture Labs reported a 37% year-to-date increase in IoT malware attacks, reaching 77.9 million, as per the SonicWall 2023 report [1].IBM's 2023 report highlighted an average data breach cost of USD 3.78 million across sectors, with critical infrastructure incurring an additional USD 1.26 million [2].These alarming figures emphasize the urgent need to secure sensitive data.Asymmetric cryptographic approaches, particularly elliptic curve cryptography (ECC), play a pivotal role in balancing heightened security with manageable complexity.They also help address the computational demands associated with their impact on battery-powered IoT devices [3].
Within the realm of cryptography, ECC is highly versatile, excelling in key exchange through the elliptic curve Diffie-Hellman protocol (ECDHP), which enables entities to securely establish a shared secret.ECC is widely used in digital signatures via the elliptic curve digital signature algorithm (ECDSA) protocol, ensuring the integrity of transmitted data.For encryption, numerous recent research papers have introduced innovative ECC encryption schemes, often building on foundational methods such as ElGamal ECC-based encryption [4] and the elliptic curve integrated encryption scheme (ECIES) [5].The latter operates as a hybrid system, utilizing ECC to generate a shared key through ECDHP and, subsequently, encrypt the message using a symmetric encryption scheme.This makes it efficient in terms of computational complexity while facing certain drawbacks highlighted in [6,7].
In this paper, we use ElGamal ECC-based encryption as the foundation for introducing an enhanced version.However, a significant challenge arises during the process of mapping messages into elliptic curve (EC) points.If not carefully addressed, this challenge can compromise the overall security and the efficiency of the cryptosystem.Existing schemes utilizing ElGamal ECC-based encryption have notably revealed vulnerabilities in this context, as evidenced by a flaw observed when encrypting the same block several times within a single encryption process, as discussed in [8].Such a flaw could potentially lead to a successful chosen-plaintext attack (CPA) and secret key leakage.This underscores the pressing need for innovative solutions to fortify the resilience of the system against such vulnerabilities.
In this paper, we introduce a novel hash-based technique designed to securely embed messages into EC points before encryption, addressing the aforementioned challenge.To augment the security infrastructure, the incorporation of a random parameter and a shared secret point generated through the ECDHP is proposed, in a manner that prevents unauthorized entities from conducting the message mapping process, distinguishing it from all existing message mapping algorithms.The choice of ECDH and ElGamal encryption, coupled with our proposed mapping method, is motivated by their well-established security features, computational efficiency, and adherence to established cryptographic standards.This combination ensures robust data protection within our proposed cryptosystem, as recommended in [9] and highlighted in [10].Our approach undergoes rigorous evaluation against various attack models, with a comprehensive analysis covering the complexity and sensitivity of the encryption scheme and its inputs.The randomness assessment of the ciphertext is conducted using the NIST statistical test suite [11], ensuring a robust measure of unpredictability.Additionally, we put forth a mechanism aimed at ensuring the integrity of transmitted messages.This involves combining the message mapping scheme and a hash function to generate a tag, which is then securely appended to the ciphertext, enhancing the overall reliability of the communication process.
The findings of our study demonstrate the effectiveness of the proposed scheme in preserving data security and integrity across various attack models.Notably, it provides security against chosen-ciphertext attacks (CCAs), chosen-plaintext attacks (CPAs), malleability, and replay attacks (RAs), as emphasized in Section 5.2.Moreover, the algorithm successfully meets the strict avalanche criterion, showcasing a remarkable change tolerance of 50% even with minor input variations.We have meticulously verified the linear complexity and the operational robustness of the algorithm, reinforcing its standing as a good solution in the realm of ECC-based encryption.
The rest of this paper is organized as follows.In Section 2, we review existing literature, introduce relevant materials, and discuss related works.In Section 3, we propose the new method.In Section 4, we study the performance of the new method.In Section 5, we analyze its security and sensitivity assessment.We provide a step-by-step example of the implementation in Section 6.We conclude the paper in Section 7.

Background and Literature Review
In this section, we delve into definitions and key protocols of elliptic curve cryptography, specifically exploring the elliptic curve cryptography over prime fields, elliptic curve Diffie-Hellman protocol, and ElGamal ECC-based encryption.Additionally, we investigate essential guidelines for secure message mapping.Finally, we highlight related works that contribute to shaping our understanding of advancements in ECC encryption, with a specific focus on schemes utilizing ElGamal encryption.Throughout the remainder of this paper, we denote the sender as (s) and the receiver as (r), which represent two communicating parties.

Elliptic Curve over Prime Fields
Let p > 3 be a prime number, and F p be the prime field of p elements.An elliptic curve E over F p is the set of points (x, y) that satisfy the Weierstrass equation [12]: where a, b ∈ F p with 4a 3 + 27b 2 ̸ ≡ 0 (mod p).Let E(F p ) denote the following set: where O represents the point at infinity.A group structure can be defined over the set E(F p ) together with the addition law described below.
Let P 1 = (x 1 , y 1 ) and P 2 = (x 2 , y 2 ) be two points of E F p .The addition is defined by the following: Algebraically, the coordinates of −P 2 are (x 2 , −y 2 ), and P 3 = (x 3 , y 3 ) is defined by the following: A scalar multiplication of an integer k and a point P ∈ E(F p ) yields another point Q ∈ E(F p ) defined by Q = kP = P + P + . . .+ P k times .
The elliptic curve discrete logarithm problem (ECDLP) involves finding the integer k ∈ N, such that Q = kP, given points Q and P on the curve.Additionally, #P denotes the order of the point P, which is the smallest positive integer n, such that nP = O.

Elliptic Curve Diffie-Hellman Protocol
The elliptic curve Diffie-Hellman (ECDH) protocol is a key exchange scheme that enables two communicating parties to establish a shared secret point over an open and insecure channel.Its security is based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP).The protocol operates as follows.
Let G be a generator point of E(F p ).To agree on a secret point, the sender (s) and receiver (r) randomly select their private keys in [1, . . ., #G], denoted as u s and u r , and then proceed as described in Algorithm 1.

Algorithm 1 Elliptic curve Diffie-Hellman algorithm
Require: Generator point G of E(F p ), private key u s of (s), and private key u r of (r).Ensure: The shared key K sh .1: (s) and (r) compute and exchange their public keys P s = u s G and P r = u r G. 2: (s) computes the point K sh = u s P r in E(F p ).
3: (r) computes the point K sh = u r P s in E(F p ). 4: return the shared key K sh .

Elliptic Curve Analogue of ElGamal Encryption
In ElGamal ECC-based encryption [4], the receiver first publishes his public key P r = u r G, where G is a generator of E(F p ) and u r ∈ [1, . . ., #G].To encrypt and send a message, m, to (r), the sender (s) starts by encoding it into B blocks.Subsequently, these blocks are mapped into corresponding points (P m i ) 1≤i≤B in the elliptic curve E(F p ).The sender then proceeds with the following steps to encrypt each point P m i .

•
Generate a random ephemeral key ) to the receiver.In various research papers, ElGamal ECC encryption is often structured to use identical ephemeral keys, denoted as aiming to mitigate the computational overhead associated with point multiplications, specifically k i G and k i P r computations.Throughout the remainder of this paper, we will distinguish between two variants of ElGamal ECC encryption.The first variant, denoted as ElGamal-v1, involves using pairwise distinct values for (k i ), 1 ≤ i ≤ B. The second variant, labeled as ElGamal-v2, employs equal values for (k i ), 1 ≤ i ≤ B across all blocks.The benefits of ElGamal-v2 are obvious in its reduced need for both point multiplications and additions, resulting in lower throughput compared to ElGamal-v1, as illustrated in Table 1.Nevertheless, inadequately implemented message mapping in ElGamal-v2 could expose vulnerabilities to various attacks, including CPA and CCA.

Ground Rules of a Valid Message Mapping
As previously illustrated, a mapping process can compromise the overall encryption system's security if not implemented correctly.Here are some ground rules for mapping plaintexts to elliptic curve points.A plaintext message, M, to be mapped to an elliptic curve, E(F p ), is first subdivided into blocks and converted to an integer in F p ; finally, each block, m, is mapped to a point, P m ∈ E(F p ), using a mapping application, as follows: satisfying the following properties [13] • Ensuring the operationality: The sender can map a block, m, of the message to a point P m = f (m) ∈ E(F p ), and the receiver can reverse the message mapping process to retrieve m = f −1 (P m ).

•
Key dependency: Incorporates shared secret keys into the mapping process to make it key-dependent.This enhances security and prevents unauthorized parties from mapping plaintexts to curve points.

•
Randomization: Introduce an element of randomness into the mapping process to prevent attackers from predicting the mapping for specific plaintexts, namely, systems with small plaintext spaces.This can be achieved by using a random value or salt in the mapping.

•
Resistance to attacks: The mapping process should be designed to resist cryptographic attacks, such as chosen-plaintext attacks (CPA) and chosen-ciphertext attacks (CCAs), and should not mount a weakness that could be exploited by the statistical attack against ciphertext.

•
Bandwidth usage: Well-designed message mapping must depress the bandwidth utilization.For example, if each character of a message is mapped separately to a point on the curve, then the encryption will produce a large amount of data when compared with another mapping scheme that embeds a block of the message.

•
Complexity: Sometimes, there may be trade-offs between complexity and efficiency.More complex mapping processes may provide stronger security but require more computational resources, and, therefore, more power consumption.

Related Work
The following algorithms elucidate various techniques for embedding an integer, m, into a point, P m , on an elliptic curve, E(F p ).
In [15], Srinath and Chandrasekaran propose a method where the likelihood of finding a mapping point is increased by verifying if −x 3 − ax + b is a quadratic residue modulo p.To retrieve m from the point P m = (x, y), the receiver calculates m = ⌊x/k⌋, the greatest integer less than or equal to x/k.An adapted version of Koblitz's method for binary finite fields is discussed in [16].
In [17], Boneh and Franklin propose a method to encode elements into an elliptic curve via the Weierstrass equation y 2 ≡ x 3 + b (mod q) with q = p n , and p ≡ 2 (mod 3).An In [18], Icart presents a method to encode elements into elliptic curves with short equations y 2 ≡ x 3 + ax + b (mod p) with p ≡ 2 (mod 3).An element u ∈ F p is mapped to (x, y) with the following: In [19], Vigila et al. introduce a method to encode each character into a distinct point.In this approach, communicating parties agree on a random point P m ∈ E(F p ).To communicate using this setting, the sender multiplies the ASCII value corresponding to each character by the point P m and encrypts the resulting points using ElGamal-v1.After decryption, the receiver solves the ECDLP to retrieve the ASCII values and reconstructs the original message by converting ASCII values back to characters.This procedure demands substantial resources in terms of power and computation.
In [20,21], the communicating parties agree on a table where each character is associated with a distinct point on the curve.Utilizing this table, the sender encrypts points that correspond to message characters.Once the receiver decrypts the cipher, they can retrieve the original message using the same table.Although [21] employs ElGamal-v1, and [20] utilizes a modified version of ElGamal-v1, both approaches exhibit high complexity and bandwidth usage.
To map a message with n characters, the approach suggested in [22] starts by selecting a generator point, G. Subsequently, each character is associated with the point αG, where α corresponds to the alphabetic order of the character.These points are then organized into a matrix Q with dimensions of 3 × (n+q) 3 , filling the remaining q = n (mod 3) positions with points corresponding to white space.Additionally, the matrix Q is multiplied by a public 3 × 3 non-singular matrix A. The resulting matrix AQ contains the message mapping points, which will be encrypted later using ElGamal-v2.An implementation of this method is provided in [23].
The mapping algorithm proposed in [13] begins by converting each character of a message block into an 8-bit representation of its corresponding ASCII code.These representations are then concatenated to form a binary string m, which is padded with a fixed number, N, of zeros.The resulting binary string is then converted into an integer, x.Subsequently, x is incremented by one until finding an integer y, such that (x, y) forms a mapping point of the message block.This method is analogous to Koblitz's message mapping approach with base parameters k = 2 N and x = m ′ k + j, where m ′ represents the decimal form of m.
The upcoming schemes introduce recent ECC-based encryption techniques designed to enhance data security in IoT-based devices.These schemes incorporate some of the aforementioned message-mapping algorithms.
In [24], Almajed and Almogren introduce an authenticated encryption scheme based on elliptic curve cryptography.In this scheme, the bit string of the first message block is XORed with an initial vector (IV) to yield block B 0 .For i ∈ {1, . . ., NumberO f Blocks}, B i is the result of XORing the bit string of the message block number, i, with B i−1 .Each block, B i , is then padded with 3 bits and mapped to a point on an elliptic curve.An enhanced version of this work is proposed in [8], where each block, B i , is the result of XORing the bit string of the message block number i with the x-coordinate of B i−1 , the corresponding mapping point.The base parameter used in Koblitz's method during message mapping is k = 16.
In [25], the authors propose a clustering-based approach that employs fuzzy C-means and enhanced ECC-ElGamal encryption for secure data transmission in wireless sensor networks.The authors employ Koblitz's method to encode messages onto a curve point.However, the paper addresses certain security threats while leaving others unexplored, such as malleability, CCA, and replay attacks.
In [26,27], Reegan and Kabila propose two approaches to integrate DNA sequences for encoding and decoding messages, employing Koblitz's method for mapping messages to curve points and ElGamal-v2 for encryption.While the concept of utilizing random DNA sequences for data encryption is intriguing, its current implementation is neither cost-effective nor practical for most applications.Additionally, both methods fall short of explaining the specific process by which communicating parties reach a consensus on the DNA sequences used during encoding.
In [28], Das and Namasudra propose a novel encryption scheme that utilizes ECC, AES, and Serpent to secure healthcare data in IoT-based healthcare systems.ECC is employed to encrypt a timestamp (TS) using ElGamal ECC-based encryption, but the authors do not clarify the mapping of TS to a point, which can harm the overall security of the system.
Most of the related work schemes are classified as static message mapping schemes [4,13,14]: This occurs when each message character or message block is consistently mapped to the same point under the same public parameter (base parameter k, ASCII code, alphabetic order, etc.).These methods are insecure against CPA and CCA when used with ElGamal-v2, as we will demonstrate in Section 5.2.Notably, those that map each character to a point are also vulnerable to frequency analysis attacks.However, these security flaws can be addressed if the mapping is coupled with ElGamal-v1 [19][20][21], although there will be tradeoffs in terms of security and computational overhead.An alternative mapping approach has emerged in recent schemes that integrate ElGamal-v2 and employ methods such as initial vector (IV) [8,24] or matrix multiplication [22] for mapping.These approaches establish a one-to-many relationship between a message character or block and elliptic curve points, allowing the message to be mapped to different points for each mapping attempt.Nevertheless, an adversary can still map messages of their choice, except in the case of schemes incorporating random DNA sequences [26,27], which face challenges related to DNA sequence agreements and their associated limitations.

The Proposed Scheme
In this section, we present an enhanced version of the ECC-based encryption outlined in [29].First, we consider an elliptic curve E(F p ) defined by the Weierstrass equation, Equation (1), over the prime field F p , where G represents its base point.In Table 2, we provide a comprehensive overview of various parameters that will be used throughout the remainder of this paper.Public key of user u.

K sh
Secret key shared between sender (s) and receiver (r).

M
The plaintext message.l o Length of the object o (number of digits or number of characters).

H(x)
Hash value of x converted to an integer with l p − 2 digits.
the n-th nested composition of the hash function H applied to the input x.

B Number of message blocks. m i
The message block number i as an integer.lsd n (x) x, after discarding its n least significant digits.

+
Employed to represent the addition of points and the addition of numbers.

x ⊕ y
Aligning binary values of x and y by left-padding with '0's to ensure equal size, then applying bitwise XOR.
In modular arithmetic, lines and curves serve as abstract representations used to describe mathematical relationships or sequences within the modular space, as opposed to the tangible geometric lines in Euclidean geometry.Nevertheless, the intersection of lines with the elliptic curve in modular space, starting from a shared secret point, forms the foundation of our proposed message mapping method.To delineate the entire system, this section is structured into six primary phases.These include key generation, tasked with creating the necessary keys for subsequent phases; message encoding, involving the conversion of messages into integer blocks represented as elements of F p ; message mapping onto elliptic curve points; tag generation and encryption of the mapped points; decryption of the cipher points and tag verification; the reversal of the message mapping; and finally, integer values decoding to restore the original message.A comprehensive overview of the proposed scheme is depicted in Figure 1.

Key Generation
Key generation is a vital step in establishing secure communication, serving as a cornerstone of modern cryptography.Algorithm 2 illustrates the key generation process using ECC.In this context, the user (s) independently selects a private key and calculates his public key using that private key, while the user (r) does likewise.In the upcoming sections, we will elaborate on how users (s) and (r) use their private and public keys, as well as the parameter Counter, for secure communication.

Algorithm 2 Key Generation
Require: An elliptic curve E(F p ), and a generator G. Ensure: Two private keys, a shared key, and a Counter.
1: Users (s) and (r) initialize Counter = 0 2: User (s) chooses a random private key u s 3: User (s) calculates the public key P s = u s G 4: User (r) chooses a random private key u r 5: User (r) calculates the public key P r = u r G 6: Publish the resulting points P s and P r 7: Both users (s) and (r) use their private key and ECDHP to compute a shared key K sh = (x s , y s ) as described in Algorithm 1 8: Each user stores his private key, the point K sh and Counter = 0

Message Encoding
In [29], the plaintext M is converted to the integer value where ASCII(M[i]) represents the ASCII value of the i-th character of plaintext M.Then, the resulting integer is subdivided into blocks of l p − 3 digits, and each block is mapped to a point on the curve.This process increases the conversion time due to the exponentiation calculations, particularly for larger message sizes.To avoid this issue within this paper, we segment the plaintext into blocks of size q = ⌊(l p − 2)/ log(256)⌋ prior to encoding, this yields l M q + ϵ blocks, where ϵ is defined as follows: Furthermore, for each encryption attempt, the sender (s) randomly selects an ephemeral key (k), ensuring that k is less than the order of the base point, G.The sender then computes and publicly discloses the value of kG, and subsequently computes and stores the session key kP r = (x k , y k ) for further usage.
Afterward, the plaintext message blocks are converted into (m ′ i ) 1≤i≤B integers in F p , and then encoded into the integer sequences (m i ) 1≤i≤B using H (Counter) (x k ) as the outcome of the nested composition of the hash function H applied to the input x k and each integer index.Note that (m i ) 1≤i≤B are pairwise-distinct, even if i ̸ = j exists, such that m ′ i = m ′ j .Figure 2 illustrates the different steps to encode a plaintext message.

Message Mapping
Message mapping is a necessary process during ElGamal ECC-based encryption, as ECC arithmetic operates solely on points along the curve.It associates the arbitrary plaintext to some points called mapping points, accomplished by mapping either an individual character or an entire plaintext block to a single point.The proposed message mapping Algorithm 3 involves padding each encoded block, m i , on both its left and right sides with '1' and '0', respectively.This modified block is subsequently mapped to a point P m i = (x m i , y m i ), which satisfies the following system of equations: and where S i = (y s − m i )x −1 s (mod p) represents the slope of the line passing through the shared secret point K sh = (x s , y s ).Furthermore, during the encoding phase, the incorporation of the hash value H (Counter) (x k ) is integral.Here, x k serves as the random source for the proposed message mapping scheme.However, the apparent randomness observed is only from the adversary's viewpoint.This arises due to x k being derived as the x-coordinate resulting from the scalar multiplication of the receiver's public key, P r , and a randomly chosen positive integer, k < #G.The scheme can be executed multiple times, altering both the most significant and least significant digits of m i .In each iteration, the problem is redefined when seeking a solution (Figure 3).
The task of solving System ( 7) is addressed by substituting its first equation into the second, resulting in Equation ( 8) Since the x-coordinate x s of K sh is a solution to Equation ( 8), the problem reduces to the following quadratic equation: For the same reason, we have the following: Hence, solving System ( 7) is equivalent to solving the following equation: in F p \ {x s }.According to [30], such equations can be efficiently solved over the prime field F p using the algorithm proposed by Berlekamp [31], which has a complexity of O(4 log(p)).However, this equation can be deterministically solved by applying the same relations commonly used to solve second-degree polynomial equations in the real numbers field, while preserving the requirement of the prime field F p .

Algorithm 3 Message mapping algorithm
Require: An elliptic curve E(F p ), the shared key K sh = (x s , y s ), and an integer block m i .Ensure: The mapping point P m i = (x m i , y m i ) 1: Pad m i on the left with '1' and on the right with '0' 2: for all (l, r) ∈ {0, . . ., 9} 2 and l ̸ = 0 do 3: m i ← Integer m i with left digit equals l and right digit equals r 4: if System (7) has a solution P m i = (x m i , y m i ), then 6: end if 8: end for

Encryption
The proposed encryption Algorithm 4 is a variant of ElGamal ECC-based encryption.It plays a crucial role in guaranteeing the confidentiality and integrity of messages during their transmission.In the realm of cryptographic communication, ensuring the security of messages against interception and tampering attacks is of paramount importance.To achieve this, we introduce a tag denoted as C m * , which is appended to the ciphertext.This tag acts as a safeguard, preserving the integrity of the transmitted data.The process of generating the C m * tag involves a series of intricate steps.Starting with the computation of m * , which involves various parameters, including the coordinates of the message's mapping points, the sender's ID s , and Counter; this value is then encoded into a mapping point represented as P m * .Figure 4 depicts more details about the tag creation.Furthermore, this algorithm addresses the encryption of the mapping point associated with each message block, as shown in Figure 5.In the upcoming security analysis section, we will delve into a comprehensive examination of how these enhancements bolster security and safeguard against vulnerabilities.
The decryption is described in Algorithm 5.It is a pivotal component of the proposed cryptosystem, as it handles data transmitted through an untrusted communication channel.Its primary objective is to ensure the integrity of the received ciphertext.To achieve this, the algorithm performs ElGamal ECC-based decryption to recover the mapping points (P m i ) 1≤i≤B .Subsequently, it computes C m * and compares the result with the received tag C m * while updating the Counter value to match the sender's Counter.If the tag verification is successful, the algorithm accepts the mapping points (P m i ) 1≤i≤B .Otherwise, it rejects the ciphertext and returns ⊥, as shown in Figure 6.In our security analysis section, we will explore how this process enhances the system's resilience against various attacks.

Reverse Mapping and Decoding Process
The reverse mapping Algorithm 6 serves as a critical component within the proposed cryptosystem.Its primary function is to reverse the mapping process applied during encryption, thereby facilitating the recovery of the original message.Through this essential process, the algorithm ensures the integrity of the transmitted data.To achieve its goal, the algorithm operates iteratively for each i = 1, 2, . . ., B, where the receiver calculates the slope, S i , of the line passing through the points K sh and P m i .Subsequently, he retrieves m i as the y-intercept of this line, excluding the first and last digits.Figure 7 summarizes the complete procedure.The resultant number sequence (m i ) 1≤i≤B undergoes a decoding transformation.For each index i = B, B − 1, . . ., 2; we define the integer m ′ i as the result of the bitwise exclusive OR (XOR) operation between m i , i, and m i−1 .Additionally, for i = 1, m ′ 1 is defined as the bitwise XOR between m 1 , 1, and H (Counter) (x k ), where x k is the x-coordinate of the session key kP r .The next step involves converting the resulting integers into text format.This is achieved by dividing the binary representation of each integer m ′ i into 8-bit blocks, which are then decoded using the ASCII table to obtain characters corresponding to their respective integer values.Finally, these text components are concatenated to reconstruct the original plaintext message M. Figure 8 illustrates how the integer sequence (m i ) 1≤i≤B resulting from reverse mapping is decoded to the original plaintext message.Compute S i ≡ (y s − y m i )(x s − x m i ) −1 (mod p).

5:
Compute m i ≡ (y m i − S i x m i ) (mod p) (Remove first and last digits). 6: Append the resulting m i to IntBlocks.7: end for 8: m 0 ← H (Counter) (x k ).9: for i from 0 to B − 1 do 10: 12: Convert m ′ j to text. 14: Concatenate the resulting text to the left of M. 15: end for 16: return M.

Performance Evaluation
In this section, we present an assessment study for the proposed scheme and provide a comparison with some of the related methods.The experiments were conducted on a virtual machine hosted in an Intel Core i5-8350U processor running at 1.70 GHz, 1 GB of memory, and 2 processors.

Overlapping Problem
The proposed message mapping algorithm is a probabilistic method.Utilizing the secret key point K sh and the numerical value m i corresponding to a message block B i , the algorithm iterates in an attempt to identify an intersection point P m i between the line passing through the point K sh = (x s , y s ) with a slope of S i = (y s − m i )x −1 s .However, it is important to note that this method may fail to produce such a point.In this paragraph, we investigate the probability of success for the proposed message mapping scheme.
Embedding the integer m i into a point P m i ∈ E(F p ) using Algorithm 3 is equivalent to finding a solution for the quadratic Equation ( 9) This equation admits a solution if and only if its discriminant, ∆, is either zero or a quadratic residue.Consequently, the probability that Equation ( 8) has a solution is equal to the probability that ∆ is either zero or a quadratic residue.Given that F p contains one zero and p−1 2 quadratic residues [32], we can ascertain that P(∆ is zero or a quadratic residue) = p + 1 2p .
Furthermore, the probability of Algorithm 3 succeeding in finding a mapping point for a message block in exactly k rounds is 2p .Thus, the algorithm produces a mapping point through n rounds with a probability of However, due to the largeness of p, this can be effectively approximated as 1.Figures 9-12 illustrate the empirical determination of the requisite number of rounds to successfully map 1000 randomly selected message blocks throughout various NIST elliptic curves.The results indicate that our proposed method effectively accomplishes the mapping of 50% of blocks within the initial rounds, achieving complete mapping (100%) in 8 rounds over the majority of cases.These findings align efficiently with theoretical predictions, affirming that Algorithm 3 exhibits a probability (P 1 ) exceeding 1 2 to map a block within one round and a probability (P 8 ) exceeding 0.9961 to map a block within 8 rounds.Nevertheless, as illustrated in Figure 11, the algorithm may necessitate additional rounds.Consequently, each encoded block undergoes padding with one digit from '1' to '9' on the left and another digit from '0' to '9' on the right until a mapping point is identified.As a result, the algorithm is designed to allow a maximum of 90 mapping rounds per block, thereby ensuring its correctness with a high degree of confidence (P 90 ≈ 1).

Complexity Analysis
The complexity of the overall encryption algorithm is influenced by the number of rounds needed to map message blocks onto a given elliptic curve.To assess this, the probability distribution of our proposed mapping algorithm allows us to determine the average number of rounds required to map a message block.Taking into consideration that p is a large prime number, this calculation is represented as follows: In parallel, a statistical test is conducted by generating a random plaintext with a size of 10 KB.Subsequently, this plaintext is encrypted using various NIST elliptic curves, and the number of rounds required to map the message onto each curve is measured.The testing phase is carried out using the proposed methods and algorithms outlined in [16,24].The results, as presented in Table 3, illustrate that the moderate number of rounds needed for each block is approximately 2, closely aligning with the theoretical result.Therefore, the computational complexity of the message mapping is O(2B), which is equivalent to O(n), where B = ⌊n/q⌋ + ϵ, for a message of size n characters and blocks of size q characters.Consequently, both the encryption and decryption processes have a complexity of O(n), as they only require B-point addition operations.Hence, the running time growth of message mapping, encryption, decryption, and reverse mapping is linear versus the size of the plaintext.Figures 13-16 illustrate analyses of the running time of the proposed algorithm across various recommended NIST elliptic curves for different sizes of random plaintexts.It is important to note that the total encryption time comprises the time required for both message mapping and the encryption algorithm itself.Similarly, the total decryption time includes both reverse mapping and the decryption algorithm execution.The experimental findings align with the theoretical results, depicting timing graphs for all processes that exhibit a consistent linear increase with a low slope concerning plaintext size.

Key Sensitivity Analysis
Key sensitivity describes how a ciphertext responds to small changes in the encryption key and reflects the impact of the key on the encryption procedure.If this influence is substantial, around 50%, it indicates that the encryption scheme is key-sensitive.Low sensitivity can make a system vulnerable to various attacks, such as differential attacks.
Throughout the analysis, we use the NIST elliptic curve spec256k1, and binary key spaces I i = {K i,j ∈ {0, 1} 256 /j = 1 . . .101} are created, where K i,j is obtained by altering randomly one bit of the randomly chosen key K i,1 , where all keys in I = 1≤i≤100 I i are pairwise distinct, and a random plaintext, m, is used.Then, we run the key sensitivity analysis on the following model: where C i is the set of ciphertexts obtained by encrypting a message, m, using a key in I i each time.Furthermore, we measure the rate of change by XORing the first cipher with all remaining ciphers in C i , then counting the number of bits equal to 1. Similar key sensitivity analyses were carried out for the mapping scheme.The findings are presented in Figures 17, 18, and Table 4, showing that the proposed scheme fits the confusion property and the strict avalanche criterion [33], with an average change rate of 50% and only slight deviations.

Plaintext Sensitivity Analysis
Plaintext sensitivity measures the rate of change in the ciphertext with respect to a slight bit alteration in the plaintext, while the encryption key stays unchanged.In this test, a random plaintext, m, with 26 characters is selected; we generate a sequence of plaintexts (m i j ) 1≤j≤100 retrieved by altering the bit number i j of m each time, where i j is chosen randomly.The resulting data are encrypted with the same key, together with m.Then, we analyze the changes in mapping points and ciphertexts.Figure 19

Statistical Analysis
The NIST Statistical Test Suite consists of statistical tests used to measure the randomness of data generated by a pseudo-random number generator (PRNG) or a cryptographic algorithm.To evaluate the randomness of data generated by the proposed encryption scheme, we encrypt random plaintexts and store the resulting ciphertexts as binary sequences in a file of size 20 MiB, and we set the significance level at α = 0.01.The algorithm's ciphertexts pass a test if the number of rejected sequences is less than or equal , where n represents the number of tested sequences.The length of sequences being tested is initially set at 2000 bits but may vary based on specific testing requirements.In assessing the data randomness, we conducted NIST statistical tests, which generally yielded positive results.However, the serial test, as documented in Table 5, revealed an anomaly.As depicted in Figure 22, the remarkable consistency between the expected and observed counts of rejected sequences underscores the continued randomness of the ciphertext data from an eavesdropper's perspective.This finding serves as evidence of the algorithm's resilience against statistical attacks.

Key Spacing Analysis and Brute Force
Due to the high computing abilities of modern computers, it is crucial to ensure that the key size is sufficiently large to be immune from any probable brute force attack.To withstand such an attack, the key spacing should be greater or equal to 2 100 [34].As mentioned in [35], to process data and implement protection measures, NIST recommends using a minimum of 112-bit security strength until at least 2030, necessitating an elliptic curve with a base point order of 224 bits [36].Even if we exclusively use keys greater than 2 224 , we still have 2 223 distinct secret keys, a significantly large number compared to the recommended range.This demonstrates that our proposed scheme satisfies key spacing requirements, thereby providing security against exhaustive search as a form of brute force attack.

Known Plaintext Attack (KPA)
In this attack, the adversary's objective is to extract additional information by leveraging knowledge of some plaintext and ciphertext pairs.The proposed message mapping algorithm attaches n characters (elements of an extended ASCII table) to a single point on the curve and then encrypts the results.Hence, the likelihood of encountering an identical sequence of characters is 1 256 n .Furthermore, the use of a random key, k, and parameter, Counter, makes the algorithm produce different mapping points and ciphertexts for the same message.In addition, the mapping mechanism uses two secret points, K sh and kP r .Thus, the attacker cannot generate a mapping point for a known message, owing to the assumed hardness of the elliptic curve discrete logarithm problem (ECDLP).For these reasons, the known plaintext attack is infeasible.

Ciphertext-Only Attack (COA)
Selecting an elliptic curve, a base point, and a prime field is crucial to the security of the scheme.In the proposed method, we recommend implementing standardized elliptic curve parameters to ensure the intractability of ECDLP and to prevent brute force attacks due to the large key space.In addition to the high entropy observed in the generated ciphers, frequency attacks are not feasible, as discussed in the previous subsection.Hence, the proposed method is secure against such attack models.

Chosen-Plaintext Attack (CPA)
Ensuring security against a chosen-plaintext attack (CPA) is crucial for concealing information within ciphertexts, thus upholding the confidentiality of an encryption scheme.In this attack, the adversary, equipped with an encryption oracle, requests ciphertexts for chosen plaintexts to extract secret information or identify patterns.Advanced security definitions, such as IND-CPA (indistinguishability under chosen-plaintext attack), extend the CPA model to provide a more comprehensive evaluation of encryption system security against such attacks.In IND-CPA, the adversary not only requests ciphertexts for chosen plaintexts but is also challenged to guess which one among a pair of chosen plaintexts is encrypted by the challenger based on his/her request.More formally, the steps in the adversary and challenger indistinguishability game under CPA are as follows: 1.The challenger generates a key pair (P u , SK) with a security parameter k, shares the public key P u with the adversary, and keeps the private key SK. 2. The adversary requests ciphertexts for a polynomially bounded number of chosen plaintexts and/or performs other operations.3. The adversary submits two distinct chosen plaintexts, M 0 and M 1 , with the same size.4. The challenger selects a bit b ← {0, 1} randomly, and sends the ciphertext C = Enc(P u , M b ) back to the adversary.5.The adversary can conduct any desired number of additional computations or encryptions.6.In the end, the adversary outputs a conjecture for the value of b.
The advantage of the adversary, A, in winning the IND-CPA game against the encryption system Π = (Gen, Enc, Dec) is computed as Adv Π IND-CPA (A, P u ) = |P(A win the game) − P(A lose the game)|.The cryptosystem Π is considered IND-CPA secure if the adversary's advantage is negligible, specifically expressed as where ϵ(k) is a negligible function in the security parameter k.
Claim 1.Let Π = (Gen, Enc, Dec) be an ECC-based encryption system, where the encryption scheme Enc uses ElGamal-v2, and a message mapping algorithm, denoted as Mapp, which operates independently of a secret key.Then Π is insecure under CPA.
Proof.In this proof, we start by showing that Π is not IND-CPA.Subsequently, we elucidate how this vulnerability facilitates the recovery of secret information.Finally, we conclude that Π is insecure under CPA.Consider an adversary, A, who selects and transmits two plaintexts, M 0 and M 1 , of the same size to the challenger.For each i ∈ {0, 1}, the encoding of M i results in two message blocks.Consequently, the challenger chooses a bit, b, randomly, and responds with the ciphertext, C b = Enc(M b ), containing two cipher points, C b,0 and C b,1 .These cipher points are computed as C b,i = P b,i + kP u , where kP u is the point multiplication of the public key, P u , by a random integer, k, and P b,0 and P b,1 represent the mapping points of the first and second message blocks, respectively.Since the mapping algorithm is keyindependent, the adversary computes the message mapping point Mapp(M 0 ) = {P 0,0 , P 0,1 } of plaintext M 0 .Subsequently, he/she computes V 0 = P 0,0 − P 0,1 and V b = C b,0 − C b,1 = (P b,0 + kP u ) − (P b,1 + kP u ) = P b,0 − P b,1 .Then, if V 0 = V b , the adversary guesses that b = 0, else, b = 1.Thus, Adv Π IND-CPA (A, P u ) = 1, proving that Π is not IND-CPA.Furthermore, suppose that the adversary found that b = 0, they can compute kP u as C b,0 − P b,0 and use it to decrypt or encrypt any messages of their choice.In conclusion, the Π is insecure under CPA.This attack holds true even when the encryption system processes character by character.
Claim 2. The proposed scheme Π ps = (Gen ps , Enc ps , Dec ps ) is CPA secure, and any probabilistic polynomial-time adversary cannot win the IND-CPA game with a probability better than a random guessing.
Proof.The proposed scheme employs ElGamal-v2.The highlighted attack in the preceding proof is inapplicable due to the key-dependent nature of the mapping algorithm.Furthermore, by incorporating the shared secret point, K sh , and the parameters Counter (incremented after each successful encryption attempt) and a random key k to derive the point kP r = (x k , y k ), initiating the encoding process with , and encoding the subsequent blocks in a manner that mirrors CBC behavior ( for i = 2, 3, . . ., B), this guarantees the generation of distinct mapping points even when faced with identical message blocks.Consequently, different cipher points C m may arise for a message block m within the same encryption cycle or in a new cycle, introducing a non-one-to-one relationship between plaintext and ciphertext.Therefore, for any given plaintext M, it holds that Enc ps denote distinct encryption cycles within the proposed scheme.Furthermore, the encryption scheme Enc ps demonstrates a change rate of 50% in response to minor alterations in either the plaintext or the key and produces random ciphertexts from the adversary's perspective, as elaborated in Section 5.1.To be more precise, each bit of the ciphertext bears a 1 2 probability of modification with even slight changes in the key or the plaintext.In the IND-CPA game, an adversary's strategy is no more effective than random guessing (Adv Π ps IND-CPA (A, P u ) = negligible), and the security of the scheme is directly linked to the adversary's ability to solve the ECDLP, making private key extraction or secret information from knowledge about pairs of chosen plaintexts infeasible.Therefore, the proposed scheme Π ps is IND-CPA and provides a high level of security against chosen-plaintext attacks.
Based on Claim 1, it can be asserted that the ECC-based encryption schemes [4,13,14,22] are vulnerable to CPA.This vulnerability arises from the incorporation of ElGamal-v2 and a key-independent message mapping, resulting in the generation of identical ciphertexts for a given message across different encryption cycles.Attempts to mitigate this potential vulnerability, as proposed in [8,24] by using a new initial vector (IV) for each encryption cycle.However, it is suggested that this measure falls short, as adversaries could still leverage the received IVs along with the ciphertext to compute mapping points and execute the described attack outlined in the proof of Claim 1. Furthermore, the proposed scheme succeeds in achieving CPA security with a balanced complexity and bandwidth usage, unlike other related encryption schemes that achieve CPA security through the incorporation of ElGamal-v1, which demands substantial resources in terms of power, computation, and bandwidth.

Malleability
Malleability describes the capacity of an adversary to create a valid ciphertext from a given one, so it can be decrypted to a plaintext related to the original plaintext.In other words, let C m be the ciphertext corresponding to a plaintext, m, an attacker can create a new ciphertext, C, which can be decrypted to f (m) for a known function, f ; such an encryption scheme is malleable [37].
In our proposed method (see Section 3.4), a ciphertext of a message, m, is of the form To exploit the malleability of such a cipher, an adversary has to add a chosen point, Q, to a cipher point C m i in a manner that the receiver decrypts the new cipher C m i = Q + P m + kP r , and obtains P m i = Q + P m instead of P m i .Once all mapping points are recovered by the receiver (r), verification is initiated through the computation of The receiver then computes and encrypts its corresponding mapping point P m * to C m * .The decryption is rejected if C m * ̸ = C m * .Moreover, m * is sensitive to any changes in ciphertext parts, even a small change like the order of cipher points (C m i ) 1≤i≤B , which preserves the integrity of the message.From the previous reasons, we conclude that the proposed method is a non-malleable scheme.

Replay Attack (RA)
The replay attack is a significant security threat within the realm of cryptographic communication.In this type of attack, an adversary intercepts and then maliciously retransmits previously captured data or messages with the intention of deceiving the recipient system or gaining unauthorized access.In [38], the authors executed a replay attack against an implantable cardioverter-defibrillator (ICD) device, successfully compromising the safety and privacy of the simulated patient.Figure 23 illustrates a scenario involving a replay attack against a healthcare provider.In this scenario, the attack deceives a doctor by causing them to repeat a telemedicine action, even though the adversary is merely retransmitting an old ciphertext from the sender.This example highlights the real-world implications and risks associated with replay attacks in various contexts, including healthcare and beyond.
In the proposed scheme, a shared parameter named Counter starts at zero and is consistently incremented during both the encryption and the decryption, ensuring synchronization between the sender and receiver during communication.This mechanism prevents the reuse of the same Counter, which is included in the ciphertext's tag C * , and as demonstrated in the malleability Section 5.2.5, this tag is not forgeable.Hence, the decryption oracle rejects all received ciphertexts with an outdated Counter and returns ⊥.Based on the preceding arguments, it can be concluded that the proposed scheme is secure against replay attacks (RAs).In addition to ensuring security against CPA, it is crucial to consider security against chosen-ciphertext attacks (CCAs) to further strengthen the encryption system.In a CCA attack, the adversary gains access to the decryption oracle, allowing them to request the decryption of ciphertexts of their choice.This attack aims to exploit vulnerabilities in the decryption process and potentially reveal sensitive information.To evaluate the security of an encryption system against CCA, advanced security definitions like IND-CCA (indistinguishability under chosen-ciphertext attack) are employed.In IND-CCA, the adversary is not only allowed to request ciphertexts for chosen plaintexts but can also submit ciphertexts for decryption and observe the corresponding plaintexts.The goal is to make it computationally infeasible for the adversary to distinguish between two equallength ciphertexts, one encrypted under a random key and the other either encrypted under the target key or chosen at random.In addition, the adversary engages in an IND-CCA game with the challenger under the following steps.
1.The challenger generates a key pair (P u , SK) with a security parameter k, shares the public key P u with the adversary, and keeps the private key SK.Claim 3. Let Π = (Gen, Enc, Dec) be an ECC-based encryption system, where the encryption scheme Enc uses ElGamal-v2, and a message mapping algorithm, denoted as Mapp, which operates independently of a secret key.Then Π is insecure under CCA.
Proof.Similar to the proof of Claim 1, the adversary chooses and submits two ciphertexts, C 0 and C 1 , of the same size, ensuring that each ciphertext, C i , contains at least two cipher points, C i,0 and C i,1 , where i ∈ {0, 1}.
Subsequently, the challenger randomly chooses a bit b ← {0, 1}, decrypts M b = Dec(C b , SK), and sends back the result to the adversary.To distinguish whether the challenger decrypted the ciphertext C 0 or C 1 , the adversary computes Mapp ( M b ) = {P b,0 , P b,1 } as the mapping points of M b and the following values: Then, if V b = V 0 , the adversary deduces that b = 0, otherwise, they state that b = 1.In this strategy, the adversary's probability of winning the IND-CCA game is 1, hence, Adv Π IND-CCA (A, P u ) = 1, and Π is insecure under IND-CCA.Once b is computed, they recover kP u as a result of C b,0 − P b,0 and use it for further encryptions or decryptions.In conclusion, Π is insecure under CCA.Claim 4. The proposed scheme Π ps = (Gen ps , Enc ps , Dec ps ) is CCA secure, and any probabilistic polynomial-time adversary cannot win the IND-CCA game with a probability better than a random guessing.
Proof.The proposed scheme Π ps effectively guards against replay attacks.Consequently, the decryption oracle within this scheme is designed to reject any replayed ciphertext during the tag C * verification process.The adversary's ability to generate valid ciphertexts is then contingent upon successfully forging a tag or encrypting chosen plaintexts.Achieving such feats is only possible by solving the ECDLP.This is due to the fact that the message mapping, Mapp ps , encryption, Enc ps , and tag, C * , creation in Π ps require secret keys such as K sh , kP r , and additional parameters like Counter.As a result, the proposed scheme, Π ps , demonstrates indistinguishability under chosen-ciphertext attack, providing robust protection against CCA.
According to Claim 3, the ECC encryption schemes [4,13,14,22] exhibit vulnerabilities against chosen-ciphertext attacks, allowing adversaries to successfully win the IND-CCA game with a probability of 1.Moreover, diverse methods advocate the use of random initial vectors (IVs) for each encryption attempt, aiming to ensure distinct ciphertexts for identical plaintexts when employing a block cipher, as proposed in [8,24].Nevertheless, adversaries can leverage weaknesses in these schemes to achieve success in the IND-CCA game.The process involves computing {P b,0 , P b,1 } = Mapp(M b , IV 0 ) and {P ′ b,0 , P ′ b,1 } = Mapp(M b , IV 1 ), representing the mapping points of the recovered message M b using initial vectors IV 0 and IV 1 for ciphertexts C 0 and C 1 , respectively.We define the following values as follows: If V b = V 0 or V ′ b = V 0 , the adversary outputs b = 0, otherwise, they output b = 1.This assertion remains valid even in the presence of integrity mechanisms, assuming that C 0 and C 1 are captured in communication traffic and replayed without alterations.Therefore, these cryptosystems are lacking in terms of indistinguishability under the chosen-ciphertext attack (IND-CCA).

Side-Channel Attacks
Side-channel attacks [39] are a significant threat to cryptographic systems, including ECC-based implementations.These attacks exploit unintended information leakage from the physical implementation of a cryptographic algorithm, such as timing information, power consumption, electromagnetic leaks, or even sound, to infer secret data.
Recent studies emphasize the importance of mitigating these attacks through various countermeasures.In [40], Socha et al. provided a comprehensive overview of the impact of side-channel attacks on both hardware and software cryptographic implementations.Additionally, Vanhoef et al. [41] presented a timing attack against an encoding method to elliptic curve points, exploiting timing leaks generated by arithmetic operations behind ECC.Effective countermeasures such as constant-time operations, point blinding, and masking have been highlighted as essential strategies to protect against these attacks [42].Implementing these strategies in our ECC-based cryptosystem is crucial and will be a key area for future work to ensure the robustness of our cryptosystem against such attacks.5.2.9.Man-in-the-Middle Attack (MitM) Based on the hardness assumption of the ECDLP, our scheme provides security against several attacks, effectively mitigating many weaknesses as discussed in Section 5 and preventing the extraction of secret keys involved during its process (e.g., K sh , kP r , users' private keys, etc.).However, a significant concern arises regarding the possibility of adversaries impersonating legitimate users through man-in-the-middle (MitM) attacks.This form of attack involves intercepting and substituting public keys with malicious ones, thus compromising the confidentiality and integrity of data exchanged between users.To mitigate this threat in our proposed scheme, robust verification mechanisms are essential.Implementing protocols for public key authentication enables users to verify the legitimacy of received keys [43] while leveraging certificate authorities (CAs) provides digital certificates to validate the identities of communication parties [44].Additionally, adopting trust-on-first-use (TOFU) mechanisms allows users to verify public keys during initial interactions [45].Continuous monitoring and verification of public key authenticity in real-time, using automated systems equipped with anomaly detection algorithms, helps detect and mitigate impersonation attempts [46].These measures collectively strengthen the resilience of our encryption method against MitM attacks, ensuring secure data exchange between users.
Table 6 presents a security comparison between the proposed methods and schemes in some related works, where the symbols ✓ (representing 'Secure') and × (representing 'Not Secure') are used to denote the resilience or vulnerability against specific several attacks.

Implementation
To implement the proposed scheme, we leverage the parameters and computations specified in Table 7. First, we utilize the elliptic curve parameters defined in [47], including the coefficients a and b, the prime number p, the generator point G, and its order #G.Next, we proceed with the key exchange process between a sender (s) and a receiver (r).The sender generates their private key u s and computes their public key P s using scalar multiplication with the generator point G. Similarly, the receiver generates their private key u r and computes their public key P r .During the key exchange, the sender derives points kP r and kG using a random parameter k and the receiver's public key, while the receiver derives the same point kP r using their private key u r and point kG.This point kP r acts as a session key, providing forward secrecy by ensuring that each session uses a new and unique key.Therefore, it is essential to update kP r for each new session by choosing a new random number k.Finally, both parties compute the shared secret point using their respective private keys and the derived points.This shared secret point serves as the basis for establishing a secure communication channel between the sender and the receiver.
To encrypt the message M = "Cryptography", we have to compute the block size q = ⌊(l p − 2)/ log(256)⌋ = 3, where l p = 10 represents the number of digits of the prime p. Then we segment the message into four blocks: B 1 = "Cry", B 2 = "pto", B 3 = "gra", and B 4 = "phy".Each block B i is then converted to a decimal value m i , which is encoded to m ′ i using the proposed encoding process in Figure 2.This encoding process incorporates a hash value H (Counter) (x k ), computed for two encryption attempts, numbered Counter = 1 and 2, where the hash function used is SHA256 is adjusted to define H (Counter) (.).Subsequently, each m ′ i is mapped to a point P m i using Algorithm 3. Furthermore, for message integrity verification, the integer m * is computed as described in Algorithm 4, then mapped to P m * prior to tag creation.Finally, ElGamal-v2 is used to compute cipher points as C m i = P m i + kP r , and the tag as C m * = P m * + kP r .Mapping details for encryption attempts numbered Counter = 1, 2 are provided in Tables 8 and 9, respectively.

Conclusions
We introduce a set of innovative contributions to the processes of message encoding, mapping, reversal, and decoding within the ElGamal ECC-based scheme.Our emphasis is on maintaining a delicate balance between the security and computational efficiency of the resulting cryptosystem.To address various attack models, the plaintext encoding incorporates a parameter, Counter, and a nested composition hash function of a secret key before the message mapping process.This introduces a non-one-to-one relationship between the plaintext and mapping points, enhancing security.Furthermore, the mapping process is fortified by utilizing a shared secret point negotiated through the ECDHP.
Our new cryptosystem underwent a comprehensive analysis to assess its performance and security aspects, including complexity, overlap, resistance against chosen-plaintext attacks (CPA), resilience against chosen-ciphertext attacks (CCA), and replay attacks.Furthermore, we investigated the sensitivity of the ciphertext to minor changes in the cryptosystem inputs, and we examined the randomness of the ciphertext from the eavesdropper's perspective.Notably, the design considerations were aimed at enhancing security while maintaining operational efficiency.
Furthermore, it is crucial to consider the arithmetic operations involved in the scalar multiplication of a point in the curve and solving Problem ( 7) during mapping to mitigate potential security risks, particularly those related to side-channel attacks.Therefore, we will intentionally postpone the detailed implementation of these aspects for future investigation.While our proposed method remains robust, addressing these areas in future research will help prevent vulnerabilities that may arise from improper implementations.

Figure 1 .
Figure 1.A comprehensive overview of the proposed scheme.

Figure 13 .
Figure 13.Algorithm performance analysis: running time vs. plaintext size for secp192r1.

Figure 14 .
Figure 14.Algorithm performance analysis: running time vs. plaintext size for secp256r1.

Figure 15 .
Figure 15.Algorithm performance analysis: running time vs. plaintext size for secp384r1.

Figure 16 .
Figure 16.Algorithm performance analysis: running time vs. plaintext size for secp521r1.

Figure 17 .
Figure 17.Mapping change rate from a single-bit key alteration.

Figure 18 .
Figure 18.Ciphertext change rate from a single-bit key alteration.
displays the mapping and ciphertext change rate values, which fall within the interval [48%, 52%].These values accurately align with the principles of plaintext sensitivity.Moreover, the scatter plots of mapping points and cipher points show no correlation, as indicated in Figures 20 and 21 .

Figure 19 .
Figure 19.Bit changing rate under plaintext bit alteration.

Figure 22 .
Figure 22.Rejected sequences and max rejections in NIST statistical tests.

2 .
The adversary requests ciphertexts for a polynomially bounded number of chosen plaintexts and/or performs other operations.3. The adversary requests the decryption of a polynomially bounded number of chosen ciphertexts and/or performs other operations.4. The adversary submits two distinct chosen ciphertexts, C 0 and C 1 .5. The challenger selects a bit b ← 0, 1 randomly, and sends the decryption M = Dec(SK, C b ) back to the adversary.6.The adversary can conduct any desired number of additional computations or encryptions.7.In the end, the adversary outputs a conjecture for the value of b.The advantage of the adversary,A, in winning the IND-CCA game against the cryptosystem Π = (Gen, Enc, Dec) is computed similarly to IND-CPA Adv Π IND-CCA (A, P u ) = |P(A win the game) − P(A lose the game)|.The cryptosystem Π is considered IND-CCA secure if the adversary's advantage is negligible, expressed as Adv Π IND-CCA (A, P u ) = |ϵ(k)|, where ϵ(k) is a negligible function in the security parameter, k.The combination of security against CPA and CCA ensures a robust and secure encryption system.

Table 2 .
Key notations relevant to the proposed scheme.

Algorithm 6
Reverse mapping and decodingRequire: Mapping Points (P m i ) 1≤i≤B , K sh , kP r = (x k , y k ), p, Counter.Ensure: Original Plaintext M.
1: Initialize M as an empty string.2: Initialize IntBlocks to an empty set of block integers.3: for i from 1 to B do 4:

Table 4 .
Change rate analysis for message mapping and encryption: average rate and deviation.

Table 6 .
Comparison of schemes based on security against various attacks.