A Wrapping Encryption Based on Double Randomness Mechanism

Yi-Li Huang,Fang-Yie Leu,2,?,Ruey-Kai Sheu,Jung-Chun Liu and Chi-Jan Huang

1Department of Computer Science,Tunghai University,Taichung,40764,Taiwan

2Emergency Response Management Center,Ming Chung University,Taipei,11103,Taiwan

3General Education Center,Ming Chuan University,Taipei,11103,Taiwan

ABSTRACT Currently,data security mainly relies on password(PW)or system channel key(SKCH) to encrypt data before they are sent,no matter whether in broadband networks,the 5th generation(5G)mobile communications,satellite communications,and so on.In these environments,a fixed password or channel key (e.g., PW/SKCH) is often adopted to encrypt different data,resulting in security risks since this PW/SKCH may be solved after hackers collect a huge amount of encrypted data.Actually,the most popularly used security mechanism Advanced Encryption Standard(AES)has its own problems,e.g.,several rounds have been solved.On the other hand,if data protected by the same PW/SKCH at different time points can derive different data encryption parameters,the system’s security level will be then greatly enhanced.Therefore,in this study,a security scheme,named Wrapping Encryption Based on Double Randomness Mechanism(WEBDR),is proposed by integrating a password key(or a system channel key)and an Initialization Vector(IV)to generate an Initial Encryption Key(IEK).Also,an Accumulated Shifting Substitution(ASS)function and a three-dimensional encryption method are adopted to produce a set of keys.Two randomness encryption mechanisms are developed.The first generates system sub-keys and calculates the length of the first pseudo-random numbers by employing IEK for providing subsequent encryption/decryption.The second produces a random encryption key and a sequence of internal feedback codes and computes the length of the second pseudo-random numbers for encrypting delivered messages.A wrapped mechanism is further utilized to pack a ciphertext file so that a wrapped ciphertext file,rather than the ciphertext,will be produced and then transmitted to its destination.The findings are as follows.Our theoretic analyses and simulations demonstrate that the security of the WEBDR in cloud communication has achieved its practical security.Also,AES requires 176 times exclusive OR(XOR)operations for both encryption and decryption,while the WEBDR consumes only 3 operations.That is why the WEBDR is 6.7～7.09 times faster than the AES,thus more suitable for replacing the AES to protect data transmitted between a cloud system and its users.

KEYWORDS Initial encryption key;accumulated shifting substitution;three-dimensional operation;wrapped ciphertext file

1 Introduction

In recent years,owing to the fast advance of the 5th generation (5G) networks and Internet techniques and the popularity of mobile phones,a wide range of mobile applications were proposed to provide us with a colorful living environment and enrich our daily lives.Also,with the fast development of cloud computing,people frequently send data to a cloud for storage or processing.But data transmitted via wireless channels may be stolen by hackers,conducting severe security problems.This means we need a more secure data transmission environment before the delivered data can be safely protected.

In addition,in the age of big data,the sizes of files transferred between a cloud system and users are often huge,i.e.,encryption/decryption speeds should be two of the key issues if we want to deliver them via a 5G network.

At present,Advanced Encryption Standard(AES)as a block cipher mechanism has been popularly employed to secure delivered data.The AES adopts the combinational logic encryption method[1],consequently attracting different kinds of brute-force attacks[2–4].According to references[5,6],the AES will soon be insecure since it has been partially solved.Thus,a safer block ciphering method is required shortly.In 2016,Huang et al.[7]introduced a random method to encrypt/decrypt messages/files.However,it is not truly random,sinceΔhis derived from password(PW)only whereΔhis the length of an additional character string utilized to hide the beginning point of the ciphertext.The weakness is thatΔhmay be solved by Brute-force attacks [7].After that,the samePWwill be employed to crack wrapped ciphertext files.

Thus,in this study,a more secure scheme,named “Wrapping Encryption Based on Double Randomness Mechanism(WEBDR for short)is proposed.The WEBDR enhances the security level of block ciphering by wrapping ciphertext with two dynamic data sequences of variable lengths to form a wrapped file,aiming to hide the ciphertext to protect it from being accessed by hackers.The WEBDR uses four types of keys to encrypt data.The first one is called the initial encryption key(IEK),which is generated by integrating a password key(or a channel key)and an initialization vector(IV).The second is a set of sub-keys(SK1～SK5),which is produced by using an accumulated shifting substitution(ASS)function and a Three-dimensional encryption method(3D Encryption).Following that,the WEBDR retrieves current time from its internal clock to produce a key,named the current time key (SKCT),as the third type of key.The fourth is a random encryption key (REK) generated randomly.

Owing to using these four types of keys,even encrypting the same plaintext with the same password,the WEBDR generates different corresponding ciphertext of different lengths and different wrapped ciphertext files.Therefore,it is not easy for hackers to access and then solve the ciphertext.Our previous research results can be seen in reference [7].The main contributions of this study are listed below:

(1) We adopt the timing-random mechanism to randomly wrap ciphertext.This can effectively prevent hackers from solving the relationship between plaintext and ciphertext even when they have ever collected a huge number of(plaintext/ciphertext)pairs.

(2)Using the encryption method of sequential-logic style,due to adopting a feedback mechanism,the generated subsequent ciphertext blocks will vary according to the contents of previous plaintext blocks.This greatly increases the difficulty of illegal decryption.

(3) The WEBDR in its message encryption (decryption) stage only invokes three exclusive OR(XOR) operations,while the AES calls this operation a total of 176 times for each of its message encryption and decryption processes.

The rest of this article is structured as follows.In Section 2,we briefly describe the related studies of this paper.Section 3 introduces the WEBDR.In Section 4,we analyze the security level of the WEBDR.Simulations and performance of the WEBDR are demonstrated and evaluated in Section 5.Section 6 summarizes this study and overviews our future research.

2 Related Studies and Background

In this section,the AES is first described.Security challenges in cloud systems and their data delivery are also discussed.

2.1 The AES and Its Problems

AES as a standard block cipher technique may have different block/key sizes,i.e.,128,192,or 256 bits[8].The corresponding numbers of rounds on the data encryption are 10,12,and 14,respectively,on a 4×4-byte matrix(also called state,denoted by M).The given plaintext block is the initial value.

Giving its 10-round AES encryption as an example.A round has four operations,including SubBytes,ShiftRows,MixColumns,and AddRoundKey.But in the 0thround,i.e.,the initial round,only AddRoundKey is executed.The last round performs SubBytes,ShiftRows,and AddRoundKey,skipping the MixColumns.Each of the remaining 9 rounds(rounds 1–9)invokes the mentioned four operations.The SubBytes operation substitutes each byte of the state M with the help of the SBox;the ShiftRows rotates the last three rows,i.e.,rotating theithrow a total ofitimes,i=2,3,4;the MixColumns multiplies the columns of M with a polynomial function c(x);the AddRoundKey exclusive ORs(XORs)M with the round sub-key[8].

In 2002,the government of the United States (U.S.) adopted the AES as the security standard since it is the most secure encryption method at that time.However,Diehl[9]analyzed a cache attack on the AES,and[10]presented that a biclique attack has been successfully applied to attack AES[8,11]introduced different types of AES attacks,meaning that the AES will be solved soon,or at least,it is not really secure.

2.2 Data Security and Encryption

Today,cloud and Internet of Things (IoTs) systems are two popular applications in the world.Their data securities are essential before these applications can be successfully applied to the world.Reference[12]defined cloud security as the policies,services,controls,and technologies that prevent cloud data,infrastructure,and applications from threats.7 challenges are also proposed.Among them,Granular Privilege and Key Management are concerned with privilege and cryptography keys.In reference[13],cloud security refers to a broad set of techniques and control methods used to protect data,applications,and cloud computing infrastructures.Because data archived in a cloud system can be accessed by using multiple client devices,when uploading data to the cloud,for security reasons,we need to consider who may access the data(e.g.,the staff of the cloud system),and what applications and what methods will be,respectively,requested and utilized to access the data.

Bordak[14]mentioned that before cloud storage,plain-text data can be encrypted to differentiate the ability to save data from the ability to retrieve it.So,it would be better if the encryption key is securely protected to ensure that only authorized users can decrypt data.

Musa et al.[15]enforced their symmetric key encryption to protect a file locally on the client side before uploading it to the cloud system and the file is decrypted after it is downloaded on the client side using the key produced during encryption.Keys are generated by different algorithms,thus offering better security levels and enhanced system performance for large files.

Reis et al.[16]said that cryptography for cloud applications relies on both client-side and serverside cryptographies.The AES-256 in Cipher Block Chain(CBC)mode is employed to encrypt their healthcare data.Client-side cryptography encrypts data at the user’s device before sending data to the cloud storage,aiming to ensure user-data privacy and security.Server-side encrypts data before storage,i.e.,inside the cloud system,for the reason that encrypts data,saves data,and manages keys at the same location.Of course,before these activities,the ciphertext sent by users should be decrypted first.

Banuelos [17] mentioned that users often utilize integers as keys by invoking a pseudo-random number generator or random-number generator.Sometimes,strings comprising numbers and letters are adopted.Also,a longer key is required,because longer keys consume a longer time to crack.The author also presented that SkyFlow,a data privacy vault company,uses a granular method to encryption keys that conveys a master key named a Key Encryption Key(KEK)and Data Encryption Keys(DEKs).Users may use Amazon Web Services Key Management Service(AWS KMS),Skyflow Key Management,or a bring-your-own-key(BYOK)technique to administrate KEK.But their data stored in the company’s vault is still encrypted by using DEKs.

Reference[18]described that an IoT security solution is required for business.Without security,businesses can be vulnerable to hacks and data breaches,making private information exploited and the public which will threaten the reputation and well-being of these corporations/companies.

Schacht et al.[19] evaluated 5 million Open Pretty-Good-Privacy (OpenPGP) keys with the algorithms utilized and internal parameters selected when establishing connections to third-party software.The authors analyzed the properties of keys and the trends of OpenPGP usage in the passing two decades,providing an internal look at OpenPGP and the adoption of public key cryptography.Looking at the details of the keys over time can make us recommend key features that affect real-world use.The analyses of OpenPGP keys give users a way to determine the time duration for changing the default settings of software packets.

Roundy[20]presented that IoT security risks were rising and stated the challenges listed in Verizon Mobile Security Index 2021 for mirroring mobile to the IoT environment.The author proposed a 6-step procedure to better IoT security.The last step is encrypting user and application data,aiming to protect the data from malicious actors.Without cryptography,an organization may face sensitive data leakage,reputational damage,and penalties.

Yang et al.[21] proposed an algorithm by exploiting encrypted packets and modeling network traffic to uncover stepping-stone statements/intrusions.The software tool used is OpenSSH which comprises n paths between Host 0 and Host 1.Each path has its cryptography key under the assumption that Host 0 acts as an intruder,and Host 1 plays the role of a victim.When a path is built,an encryption key is given.Authors claimed that the algorithm demonstrates better performance when detecting intruders’both-side chaff attacks.However,it is better if the keys can be created with a secure approach.

Nowaczewski et al.[22] predicted that Customer Edge Switching (CES) would be used in 5G networks.They described the CES and explained how it works with Domain Name System(DNS).The possible attack models were also discussed.Currently,DNSs lack encryption/authentication.Hackers can exploit the system through man-in-the-middle attacks.They also extend CES’s implementation to fix this gap by adding DNSCrypt and DNSSEC functionalities.Their experimental results show that most attacks can be effectively detected by the proposed countermeasures.However,it would be better if the details of cryptography can be presented.

2.3 Three Working Models of Data Encryption

For those systems requesting high-security levels for their data transmission,three data transmission modes can be considered.Mode 1 is encrypting files transmitted between a user and a base station(BS) or a cloud with a channel key established to ensure their point-to-point security [23,24].With mode 2,data is saved in client devices before its delivery,i.e.,data is encrypted before transmission[25].Therefore,a password given by the user is processed to generate a password key with which to encrypt/decrypt data files.Mode 3 adopts Proxy-based encryption methods to secure archived data.For some existing software or applications with no encryption functions,data can be encrypted by proxy servers[26]before transmission.Our opinion is that the WEBDR can enhance the security and performance of modes 1 and 2,particularly for those medium and large-size files.

2.4 Other Related Studies

Chakravarthy et al.[27] proposed a system named digital signature algorithm (DSA) which works together with deep packet inspection (DPI),known as the DSA-DPI model,to detect and prevent Distributed Denial of Service (DDoS) attacks.DDoS is an attack that overloads Central Process Units(CPUs)of the firewall and other network components and/or consumes their network bandwidths.The proposed system also provides preventive warnings on infrastructure before the malware attack.However,this system does not discuss how to protect,e.g.,encrypt/decrypt,data itself.Digital signatures are one kind of anomaly-based detection scheme.Often a signature-based approach is required.DPI is often a function of firewalls.However,packet filtering often consumes a longer checking time.

Chiu et al.[28]proposed a network autonomous security system,named Detection and Defense of Denial of Service(DoS)/DDoS on 5G(DDD5G)which analyzes 5G network traffics and determines whether a protected system is under DoS/DDoS attack or not by using Shannon entropy(SE)and/or a mixed model.The latter mixes Shannon entropy and Cumulative Sum Algorithm (CUSUM) to further enhance a system’s security level.Shannon entropy adopts entropy derived from normal traffic at specific time intervals as the threshold and compares it with the entropies of other time intervals,denoted by T,to detect whether there are intrusions and attacks in T or not,while the CUSUM collects traffic and checks to see whether it exceeds the predefined thresholds or not to determine if this system is under attack.Authors claimed that a mixed-mode approach can effectively detect DDoS.However,with the two-stage detection approach,the detection time may be long,i.e.,unable to detect attacks in a real-time manner.

Tsai et al.[29] proposed a Two-stage High-efficiency Long Range Wide Area Network(LoRaWAN)encryption key Update Scheme(THUS for short)for changing LoRaWAN’s session keys and root keys in an efficient and secure approach.The THUS comprises two stages,i.e.,the Root Key Update(RKU)and the Session Key Update(SKU),and with different update periods,the security levels of RKU and SKU are higher than those of normal LoRaWAN specifications.A modified AES cryptography process is also adopted in the THUS to improve the THUS’s security level.According to the authors’security analyses,the THUS can effectively protect important parameters in its key update stages,and satisfies the requirements of integrity mutual authentication,and confidentiality.Moreover,The THUS can further resist replay and eavesdropping attacks.However,THUS procedures can only be applied to LoRaWAN since the mechanism is limited to LoRaWAN,i.e.,join-server,enddevice,and network server.Also,when a sender generates a new D-box,it needs to deliver it(of course,encrypting it)to his/her target site.Otherwise,the target site does not know how to solve the receiving message,thus increasing the processing costs.

Khan et al.[30] stated that traditional authentication protocols are vulnerable in the quantum computing era.Therefore,they presented an authentication protocol according to the lattice technique for public cloud environments to prevent quantum attacks and avoid all known typical attacks.This protocol provably secures the protected systems with the Real-Or-Random(ROR)model.Their simulation results showed that this protocol is lightweight compared with some existing lattice-based authentication protocols.Their comparative analyses also demonstrated that this protocol is quite appropriate to be implemented in quantum-based environments.However,this scheme is developed for authentication,instead of encrypting/decrypting transmitted data.

Khalaf et al.[31]presented that hackers may send malicious inputs to confuse a web application.The purpose is to access or disable the application’s back end.The authors claimed that Cross-site scripting (XSS) and Structured Query Language (SQL) Injection Attacks (SQLIAs) are frequently launched.They then developed an input validation mechanism to check and evaluate for program codes and also developed a script whitelisting interception layer that is a part of the browser’s JavaScript engine.The SQLIA can be detected and the XSS attack is resolved with the approach of input verification and script whitelisting by using pushdown automatons.However,this system only focuses on SQLIA,XSS,and buffer overflow.

Yang et al.[32,33]described that Age-of-information(AoI)as an indicator reflects the freshness of data during the communication stage and Unmanned Aerial Vehicles(UAVs)play very important roles in Mobile Edge Computing Networks(MECN).They tried to solve the Channel Access Attack(CAA)problem of AoI-oriented channel access from game-theory viewpoints.A system model with active probability is first built to acquire a MECN-based AoI indicator under CAA attacks.Next,they proposed the AoI-based channel access optimization problem by using Ordinary Potential Game(OPG).At last,a learning algorithm named Distributed Channel Access Strategy Determination(DCASD) is presented to choose the channel access strategies.The experiments given different parameters to enhance the performance of the algorithm are conducted as compared with some stateof-the-art systems.But the proposed scheme is not applied to encrypt/decrypt data.Further,readers may like to know how attackers access the available channels to intrude on sensor nodes.How to implement the proposed approach with Carrier Sense Multiple Access(CSMA)families?How to work with IEEE 802.11 ax/be?It would be better if authors can deeply describe these.

3 The WEBDR

The WEBDR dynamically hides ciphertext in a wrapped cipher file,aiming to hide the right position of ciphertext.Thus,it is not easy for hackers to collect a huge amount of effective(plaintext,ciphertext)pairs with which to break the system.

3.1 Parameters and Operators

All parameters and operators adopted by the WEBDR are listed and defined below:

A.Parameters

Parameters used are as follows:

1.IV:initialization vector,which is inputted to a cryptographic primitive by users to provide the initial state of the WEBDR.

2.PW:the password,comprising 8 to 32 characters,is prepared as one of the inputs by users.

3.SKPW:the system password key derived from PW.

4.dsc:dynamically shifting count when shifting data.

5.SKCH:the system channel key,created for a user and the cloud sever before their communication starts.

6.SK0:the system zeroth encryption key defined as SK0=SKPWor SK0=SKCH.

7.IEK:the initial encryption key.

8.SK1～SK5:the system sub-keys produced in the system’s initial procedure.

9.PRS1:pseudo-random sequence 1,as a random string placed at the beginning of a wrapped ciphertext file.

10.PRS2: pseudo-random sequence 2, as a random string placed at the end of a wrapped ciphertext file.

11.Δ1l:|PRS1|in bytes.Its usage will be described later.

12.Δ2l:|PRS2|in bytes.Its usage will be described later.

13.SKCT:the system time key,produced based on current CPU time,is 128 bits long comprising the following elements:nanosecond/date/hour/minute/second/nanosecond/hour/minute/second.

14.SKRCT:the reverse key of SKCT,128 bits long,consists of the following elements:second/minute/hour/nanosecond/second/minute/hour/date/nanosecond.

15.REK:Random Encryption Key,which is employed to generate ciphertexts and the length of PRS2.

16.CREK:the Ciphertext key of REK.

17.fb0～fbn:a sequence of internal feedback code.

18.Plaintext blocks:P1P2...Pj...Pn,where Pjis plaintext block j and|Pj|=128 bits,1 ≤j ≤n.

19.Ciphertext blocks:C1C2...Cj...Cn,where Cjis ciphertext block j and|Cj|=128 bits,1 ≤j ≤n.

B.Operators

The operators employed and their functions are defined as follows:

1.XOR,denoted by ⊕.

Encrypting plaintext p to ciphertext c with key k,i.e.,c=p ⊕k.

Decrypting c to p with k,i.e.,p=c ⊕k.

2.Binary adder[7]:+2

Encrypting plaintext p to ciphertext c with key k, i.e., c = p+2k, in which we drop the carry generated by the addition of the most significant bit

Decrypting c to p with k,i.e.,

3.Rotate-Equivalence operator:R

Encrypting plaintext pito ciphertext ciwith key k,i.e.,

ci=piRk=piRk,where piRis the key acquired by rotating plaintext piclockwise h bits where h=|k|/4,i.e.,if|k|=128,piwill rotate 32 bits.

Decrypting cito piwith k,i.e.,pi= ciIRk=counterclockwise rotating(cik)a total of|k|/4 bits.

4.Three-dimensional operation: the operation encrypting a message by using encryption keys and three fundamental operators[1],i.e.,⊕,+2andR.

5.Modulus operator:mod.

c=p mod n,where n is a positive integer.

6.Left(PW,n): a function that retrieves n leftmost characters from PW, where n ≤|PW|in bytes.

7.Right(PW,n):a function that accesses n rightmost characters from PW,where n ≤|PW|in bytes.

8.Trunc(RN,t): a function that truncates the rightmost t bytes from the random number key RN.

C.Accumulated shifting substitution

In the AES,the SubBytes is a mapping/substitution operation following the content of a given lookup table,i.e.,a substitution box (S-Box).Basically,this mapping is a combinatorial-logic style encryption.The substringXin bytes appears at different locations in the plaintext will produce the same cipher substring S(X),consequently decreasing its security level since the mapping fromXto S(X)is fixed,rather than a one-to-many mapping.

Next,the Accumulated Shifting Substitution algorithm(ASS),i.e.,Algorithm 1,defined below is a sequential-logic style encryption mechanism which encrypts a plaintext into an irreversible ciphertext.The same substringXs at different locations of the plaintext will be mapped to different cipher substrings.In other words,this is a one-to-many relationship,aiming to significantly enhance the security level of ciphertext.

Algorithm 1:ASS Algorithm

3.2 Password Key(SKPW)

In the WEBDR,SKPWis the initial key.Its content significantly affects the security level of the WEBDR.To generateSKPW,we expandPWfollowing three rules:

(1)The original content ofPWis preserved;

(2)The code expanded is generated based on the original content ofPW;

(3)When the same character repeatedly appears inPW,the expanded codes varies.The algorithm derivingSKPWfromPWis shown in Algorithm 2.

Algorithm 2:Deriving SKPW from PW

3.3 Encryption/Decryption

In the WEBDR,before data encryption,there is an initial process used to generate system subkeysSK1～SK5andΔ1lby usingPWor a channel keySKCH,both of which have been enhanced by invoking Algorithm 2.The key length is 128 bits.

A.Initial process

The initial process of the WEBDR is shown below:

Step 1:ProducingREKandCREK

Step 2:Producing ciphertext andΔ2l

Step 3:YieldingPRS1 andPRS2

Step 4:ConcatenatingIV,PRS1,CREK,CiphertextandPRS2 sequentially to produce the wrapped ciphertext file,the layout of which is illustrated in Fig.1.

Figure 1:The layout of a wrapped ciphertext file

C.Message decryption

The decryption process is shown below:

4 Security Analyses

We analyze security of the WEBDR’s working environment on operation mode 1 and mode 2 stated above,containing the securities of system sub-keysSK1～SK5,Δ1l,the dynamic random keyREK,the wrapped ciphertext file,and the ciphertext,and then demonstrate how they resist against eavesdropping attacks.

4.1 Security on SK1～SK5

In the WEBDR,the system sub-keysSK1～SK5are employed to encrypt/decrypt a given plaintext.Claimed 1 shows thatSK1～SK5have achieved practical security.

Claimed 1:

When the WEBDR worked on operation mode 1 or mode 2,the generated system sub-keysSK1～SK5have achieved practical security.

Proof:In operation mode 1 or mode 2,SK0is defined asSK0=SKCH(orSK0=SKPW),whereSKCH(orSKPW) is inputted externally,meaning that it is not easy for hackers to guess the value ofSK0.In the two modes,SK0is used only once.Thus,the problems resulted from collecting massive data for solvingSK0can be prevented.SinceSK0andIVemployed in a session are themselves unique from those used in other sessions.Hence,to crackSK1～SK5,apart from blindly guessing their values,hackers can also utilize three approaches.The first is solving Eqs.(1) to(3).The second is breaking Eq.(4).The last is cracking Eqs.(6) to (9) and solving the wrapped ciphertext file construction(WCFC)by adopting brute-force attacks.

About the first approach,in Eq.(3),in whichSK5is derived from four parameters,includingIV,SK1,SK2,andSK4and the three-dimensional operation mentioned above.SK4=(SK0+2SK3)⊕SK2in Eq.(2) is derived by utilizingSK0,SK2,andSK3,in whichSK3is produced by invoking the ASS Algorithm given D-Box andSK2.Further,SK1in the equation(see Eq.(1))is again acquired by calling the ASS Algorithm given D-Box andIEKwhereIEK=SK0⊕IV.Now we can conclude that without correct values ofSK0andIV,SK1～SK5cannot be solved.However,the value ofSK0is unknown to hackers.In other words,SK1～SK5are difficult to break.Also,at different time points,theIVvalues are different,meaning that hackers have insufficient data to break our system.

For the third approach,hackers may break Eqs.(6) to (9) and the wrapped ciphertext file construction by employing brute-force attacks.In mode 1 or mode 2,without knowing plaintext,hackers cannot launch chosen-plaintext attacks and known-plaintext attacks.They can only collect and analyze wrapped ciphertext files.Even though hackers have collected a huge amount of wrapped ciphertext files encrypted bySK0,each ciphertext file has its ownIVwhich is a random number so that the generated keys,i.e.,SK1～SK5,are themselves different from thoseSK1s～SK5sproduced in other sessions,indicating that hackers cannot acquire the value ofΔ1l,hence unable to retrieveCREKfrom the file and acquire the random encryption key,i.e.,REK.Even though hackers have guessed the value ofCREK,based on Eq.(6),i.e.,,whenREKis unknown,it is hard to solveREKandSK1～SK5based on theCREK.Moreover,at different CPU time points,theREKvaries,i.e.,lacking enough data for hackers to break these parameters.

Furthermore,the WEBDR generates a random keyREKfor each plaintextP.Each time when the plaintext encryption process is executed,differentSK1～SK5,SKCTandREKvalues will be derived and given to produce different wrapped ciphertext files;thus,breaking those parameters from these collected wrapped ciphertext files is difficult.Also,Δ1l,Δ2land the size of the plaintext file are unknown to hackers.Consequently,it is not easy for hackers to identify the place of the ciphertext in the wrapped ciphertext file to obtain the ciphertext,thus unable to break the WEBDR.

Next,even hackers correctly guesses the exact location of the ciphertext and obtain(Pi,Ci),1 ≤i≤n,pairs,without the value offb0(i.e.,SK4),C0(i.e.,SK3),plaintext blockPi,the system sub-keySK5,the random keyREK,and the internal feedback codefbi-1,hackers are unable to obtainSK3,SK4,Pi,fbi-1,SK5,andREKfrom the ciphertext blockCibased on Eqs.(7) and (8),due to the sequentially generated internal feedback codefbi-1,1 ≤i≤n,i.e.,SK1～SK5are difficult to break.

From the analyses above,we dare to say that in operation mode 1 or mode 2,the generated system sub-keysSK1～SK5have achieved practical security(Q.E.D).

4.2 Security on Δ1l

The key point for solving the wrapped ciphertext files is acquiringΔ1l.But it is crucial for hackers to solve the WCFC and then access the correspondingCREKand ciphertext.That is,Δ1lneeds a higher level of security.In operation mode 1 or 2,the probabilities of crackingΔ1lby using probable approaches are similar to that of a blind guess.So,we dare to declare thatΔ1lhas its practical security.We analyze this in Claimed 2.

Claimed 2:

In operation mode 1 or 2,Δ1lderived from the zeroth encryption keySK0and system sub-keysSK1～SK5has achieved its practical security.

Proof:Besides a blind guess,there are only two approaches for hackers to solve the value ofΔ1l,i.e.,by solving Eq.(4)or breaking the wrapped ciphertext file format by using brute-force attacks.

With the first approach,in operation mode 1,data transmitted between a user and a base station(or the cloud)is encrypted,i.e.,SK0=SKCH.In operation mode 2,the data file owned by the user is encrypted,i.e.,SK0=SKPW.As mentioned above,bothSKCHandSKPWare given by users,i.e.,the two parameters are external to our system.Therefore,it is not easy for hackers to correctly guess the one given.Namely,SK0is difficult to break.

According to Claimed 1,SK1～SK5,sequentially derived fromSK0andIV,also have their own practical securities.Without knowing the values ofSK0～SK5,hackers cannot solve Eq.(4)to breakΔ1l.The reason is that to calculate the value ofΔ1l,SK0andSK1～SK5ought to be solved beforehand.But,the key length is 128 bits.The possible values ranging from 0 and 2128-1 is far wider than the probable values ofΔ1lwhich is between 3 and 1024.Without knowing the values ofSK0～SK5,the probability of solvingΔ1l,produced by usingSK1～SK5with a Three-dimensional operation and the modulus operation(mod1022+3),is equal to that of a blind guess[1].

By using the second approach,hackers may try to analyze the wrapped ciphertext file format with brute-force attacks.But,in operation mode 1 or mode 2,they cannot solve the file by employing chosen-plaintext attacks or known-plaintext attacks because they are unable to solveΔ1landΔ2land thus do not comprehend the location of ciphertext in the file.Even though the collected wrapped ciphertext files are produced by giving the sameSK0,the values ofΔ1ls of all ciphertext files vary due to giving differentIVs.The conclusion is thatΔ1lis difficult to break.

In addition,the ciphertext is placed betweenPRS1 andPRS2 andCREK(see Fig.1).PRS1 andPRS2 are all derived from random numbers or pseudo-random numbers.They cannot be solved from the wrapped ciphertext files collected.Also,the size of a wrapped ciphertext file is(16+Δ1l+16+16n+Δ2l)bytes,where the two 16 bytes are the sizes ofIVandCREK,16nbytes represent the length of the plaintext andΔ1l(Δ2l)is the size ofPRS1(PRS2).Hackers do not know the values ofΔ1land(Δ2l),the probability with which to obtainΔ1lby cracking the entire wrapped ciphertext file structure is the same to that of a blind guess.Here,we can conclude thatΔ1lhas achieved its practical security(Q.E.D).

4.3 Security on Random Encryption Key REK

Since the dynamic random keyREKis used to encrypt a plaintext file,it requires a relatively high level of security.In Eq.(5),i.e.,,REKis generated by utilizing the Three-dimensional operation,and three parameters,including the zeroth random encryption keyREK0and the two current time keysSKCTandSKRCT,showing thatREKis a highly dynamic random key.Theorem 1 will prove thatREK’s security level is high.

Theorem 1:

In operation mode 1 or 2,if the dynamic random encryption keyREKgenerated isnbits long,the probability with which to obtainREKfrom an intercepted wrapped ciphertext file is.

Proof:To breakREK,in addition to a blind guess,hackers could also adopt the following three methods.The first is cracking Eq.(6).The second is solving Eqs.(7) and (8).The third is breaking Eq.(9)and analyzing the wrapped ciphertext file format.

Firstly,in operation mode 1 or 2,from previous analyses,we know thatΔ1landSK1～SK5have their practical securities.Thus,whenΔ1lis unknown,hackers cannot find the position ofCREKin the wrapped ciphertext file.Thus,the probability with which to obtainREKis the same to that of a blind guess.Even though hackers may somehow accurately retrieveCREK,and try to obtainREKby solving Eq.(6),i.e.,,without knowing the values ofSK1～SK5,they are unable to obtainREKwith only one value ofCREK.Therefore,when the values ofSK1～SK5are unknown,the probability with which to obtainREKby solving the information concerningCREKis the same to that of a blind guess,i.e.,[1].

Secondly,in operation mode 1 or mode 2,hackers are unable to successfully crack the WEBDR by submitting chosen-plaintext attacks and known-plaintext attacks.They can only crack the system by analyzing the wrapped ciphertext files collected.But without the values ofΔ1landΔ2l,no clues of the exact place of the ciphertext within the wrapped ciphertext file can be found,meaning that the attacker cannot successfully retrieve the ciphertext from the wrapped ciphertext file and crack it.In this case,Eqs.(7)and(8)are not helpful for hackers,i.e.,the probability with which to recoverREKby solving Eqs.(7)and(8)is the same to that of a blind guess.

On the other hand,hackers may somehow accurately guess where the ciphertext blockCiis(e.g.,by brute-force approaches),1 ≤i≤n,and attempt to solve Eqs.(7) and (8).But in Eq.(8),i.e.,,the internal feedback keyfbi-1,1 ≤i≤n,is generated by utilizing Eq.(7)and the four parameters,includingfb0,C0,REK,andSK5,are unknown.Therefore,the value offb1cannot be uncovered.Likewise,sincefb1,REK,andSK5are unknown,the value offb2cannot be solved.Also,becausefb2,REK,andSK5are unknown,the value offb3cannot be obtained,and so on.

Therefore,the variablesfb1,fb2,...,fbi,...,fbn,form a secure internal feedback-code sequence which is unattainable by hackers.By substituting Eq.(8) with the above results,even if the attacker knowsCiandCi-1,under the condition thatfbi-1,REK,andSK5are unknown,they cannot reversely derive values ofNamely,the chance of obtaining values ofon the basis in whichCiis known is the same to that of a blind guess[1].In other words,the dynamic random encryption keyREKhidden in the term(REK⊕fbi-1)is secure,and the probability with which to solveREKis,which is the same as that of a blind guess.

Thirdly,without knowing the values ofSK2,SK4,SK5andREK,hackers cannot obtainΔ2lby solving Eq.(9).Further,without the value ofΔ1l,hackers cannot reversely derive the value ofΔ2lfrom the total length of the wrapped ciphertext file,i.e.,Δ2lis secure.Even though hackers correctly guess the value ofΔ2l,and try to solve Eq.(9),i.e.,mod1022+3,to crackREK,the reality is that generation of aΔ2linvolves a dynamic encryption keyREK.On each generation,the value ofΔ2lvaries.The value ofΔ2lranges between 3 and 1024,in which 1024 is far smaller than the upper bound ofREK(0 ≤REK≤2128-1),plus the fact that hackers do not know the values of(SK2+2REK),SK5,and(SK4⊕REK).Thus,the probability with which to obtainREKbased on mere value ofΔ2lis,which is the same to that of a blind guess(Q.E.D.).

4.4 Security on a Wrapped Ciphertext File

The ciphertext shown in Fig.1 is wrapped byPRS1 of lengthΔ1landPRS2 of lengthΔ2l.Since values ofPRS1,CREK,andPRS2 are random in different sessions,no methods that can be used to identify each of them in this wrapped ciphertext file.In operation mode 1 or 2,hackers cannot realize the length of ciphertext portion.So,they need to know the values ofΔ1landΔ2lto identify the positions ofPRS1,CREK,andPRS2 to acquire the ciphertext.But,as mentioned above,Δ1landΔ2lare well protected.Hackers cannot identify the exact location of ciphertext,thus unable to access it.Here,we dare to conclude that the security level of a wrapped ciphertext file is high.

4.5 Security on Ciphertext

Assume that hackers,by some method,correctly retrieve the ciphertext from the wrapped ciphertext file.Theorem 2 proves that the plaintext is secure.

Theorem 2:

LetP1P2P3...Pmbe the plaintext,and letC1C2C3...Cmbe the generated ciphertext,wherePiis theithplaintext block,Ciis its corresponding ciphertext block and both arenbits in length,1 ≤i≤m.In operation mode 1 or 2,the probability with which to acquire plaintextP1P2P3...Pmbased on illegally intercepted ciphertextC1C2C3...Cmis

Proof:Eq.(11),i.e.,,indicates thatCi-1,SK5,fbi-1,andREKon the righthand side are required beforePican be recovered fromCi.Then by Claimed 1 and Theorem 1,SK5andREKhave achieved their practical securities.The value offbi-1can be obtained with the help of Eq.(12),i.e.,,in which values ofPi-1,fbi-2,Ci-2andSK5are necessary.However,the plaintext blockPi-1is hidden from hackers,and bothfb0=SK4andC0=SK3are well protected.Sois also safely protected.Similarly,if the hackers cannot solveP2,fb1andSK5,the value ofis still unknown,and so on,meaning that the internal feedback-code sequence(fbi-1,1 ≤i≤n)is well protected.Substituting Eq.(11)with this result will show thatP1=(C1⊕((C0⊕SK5)+2fb0))-2(REK⊕fb0)fb0is secure.Thus,whenC0,SK5,fb0andREKare unknown,the probability with which to breakP1is the same as that of a blind guess,i.e.,whereP1is protected by using the Two-dimension operation[1].Likewise,P2=(C2⊕((C1⊕SK5)+2fb1))-2(REK⊕fb1)fb1is secure whenSK5,fb1andREKare unknown.The probability with which to breakP2protected by the Three-dimensional operation[1]is also,and so on.Hence,a plaintext blockPi,1 ≤i≤m,is safely protected,and the probability with which to solve an individual plaintext block is.According to Rule of Product,the probability with which to crack the plaintextP1P2P3...Pmis

4.6 Security on the WEBDR against Eavesdropping Attacks

In operation mode 1 or 2,active brute-force attacks,like the chosen-plaintext attack and knownplaintext attack,cannot successfully crack a system protected by the WEBDR.Therefore,passive eavesdropping attacks will be the main method used to break the WEBDR by hackers.Now we would like to prove that the WEBDR can effectively defend against eavesdropping attacks.

In operation mode 1,before data files are transmitted between UE and a base station(or a cloud system),both sides of the connection have already owned their channel key,i.e.,SKCH,which is used to protect the data files.In fact,without the value ofΔ1l,the length of the plaintext and the value ofΔ2l,hackers cannot exactly identify the position of the ciphertext and then crack it.In addition,if hackers attempt to sniff data in a long term so as to collect a large amount of data for further analysis,it is still useless since for each communication session,the channel keySKCHvaries and there is no association between two arbitrarySKCHs.Of course,there is no direct relationship among all wrapped ciphertext files.In other words,the WEBDR can effectively defend against eavesdropping attacks when operation mode 1 is in use.

In operation mode 2,even if a wrapped ciphertext file is stolen.As mentioned above,hackers cannot figure out the right position of the ciphertext,and then crack the wrapped ciphertext file.Nevertheless,even though many wrapped ciphertext files are encrypted by using the sameSKPW,theirIVs are different so thatSK1～SK5,Δ1landREKare all individually different in different sessions.It is hard for hackers to crack these wrapped ciphertext files without knowingSKPW,meaning that the WEBDR is able to effectively defend against eavesdropping attacks when operation mode 2 is in use.

5 Performance Analyses and Improvements

The performance of encrypting and decrypting data blocks mainly depends upon the number of operating instructions.Table 1 lists the number of operations required by the WEBDR and AES when they encrypt/decrypt data blocks that are 128 bits long.

Table 1:The number of operations consumed by the WEBDR and AES

Due to the natural-randomness property,it is difficult for most cryptographic algorithms to theoretically compare time complexity.To demonstrate the better performance of the WEBDR than the AES,we conduct several experiments with test scenarios that encrypt/decrypt data blocks of different sizes from 1 KBs to billion KBs.In each test case,we calculate the average time consumed by each step of pre-processing procedures and the encryption/decryption step by million times of executions.

The experimental results by employing devices of different specifications are shown in Table 2 which shows that the cost of encrypting(decrypting)a plaintext(ciphertext)block by the AES is 6–8 times higher than that of encrypting (decrypting) a plaintext (ciphertext) block by the WEBDR in average.Since before encryption,the AES needs to execute Key-Expansion,i.e.,generating roundkeys by manipulating its cipher-key.Similarly,before encryption,the WEBDR has to perform preprocessing,including initial process,Step 1 of the encryption process and the generation ofΔ2l.

Table 2:Experimental results of test cases(μs)

To produce a wrapped ciphertext file,the WEBDR should execute post-processing procedures,i.e.,the generation ofPRS1 andPRS2,in Step 3 of the encryption process.The costs of extra suboperations required by the AES and WEBDR are also listed in Table 2.The costs for pre/postprocessing in the decryption process of the WEBDR are lower than that in its encryption process since the decryption does not need to generatePRS1 andPRS2,only identifying their lengths.If a plaintext file hasnplaintext blocks,each of which is 16 bytes long,the theoretical encryption/decryption costs of the WEBDR and AES can be derived from Table 2.

(1)The AES(for Device#=5)

(2)The WEBDR(for Device#=5)

Basically,most of the 5th-generation (5G) applications are data intensive and at least 100 kb of data size.As shown in Table 2,the performance of the WEBDR is around 6.7–7.09 times faster than that of the AES.

The cost of wrappingn-block ciphertext,denoted byCC,in a wrapped file is

where 130=(Δ1lmax+Δ2lmax)/16+2=1024 ?2/16+2 since Δ1lmax=Δ2lmax=1024.Whennis large,CC approaches 1.

6 Conclusions and Future Works

In this study,the WEBDR is developed by using a randomly wrapped feedback approach based on user passwords or channel keys,which together withIVconstruct high security wrapped ciphertext files with high performance.When receiving a plaintext at different time points,the dynamic random encryption approach,which adopts current time keys and random keys,will produce different wrapped ciphertext files of different cipher texts and lengths,consequently highly improving the security level of transmitted ciphertext.Our theoretical analyses demonstrate that the WEBDR has achieved practical security in transmitting wireless data and encrypting personal files.

Theorems 1 and 2 prove the security level that the proposed scheme can achieve,i.e.,the probability with which to obtainREKfrom an intercepted wrapped ciphertext file isand the probability with which to acquire plaintextP1P2P3...Pmbased on illegally intercepted ciphertextC1C2C3...CmisThe performance of the WEBDR when encrypting/decrypting a file longer than 128kb is around 6-8 times faster than that of the AES (see Table 2).All operations required by AES and the WEBDR are listed in Table 1.The former consumes 176 XOR operations for both of its encryption and decryption,while the WEBDR costs only three XOR for each of its message decryption and decryption processes.Therefore,this proposed system is more suitable than AES for protecting data stored in a cloud or transmitted between the cloud and an end user.Of course,readers may say that less operations also easily conduct hackers to break the WEBDR.Yes,it is true.But the time consumed for encrypting/decrypting data for 5G/beyond 5G (B5G)/the 6thgeneration (6G) networks need to be short to avoid being the bottleneck of data transfer since users of current networks request short transmission time.

According to reference [34],the download speed of a 5G system is about 10 times that of a 4thgeneration (4G) network,and high-speed communication has been widely requested by users,highperformance transmission is always desired,while keeping the practical security.

In the future,we will continue developing a faster encryption and decryption approach and then apply it to image cryptography [35].Also,users may forget their passwords.Then they have trouble decrypting their ciphertexts to plaintexts.Therefore,we need a forgotten-password-recovery mechanism following which users can recover their original passwords,and then decrypt the wrapped ciphertext files.These constitute our future studies.

Acknowledgement:We would like to thank reviewers who gave us many valuable comments and suggestions with which we can then significantly improve the quality of our manuscript.

Funding Statement:This work is financially supported in part by Ministry of Science and Technology(MOST),Taiwan under the Grant MOST 109-2221-E-029-017-MY2.

Author Contributions:Study concepts and system design: Yi-Li Huang and Fang-Yie Leu;Data collection and preparation: Ruey-Kai Sheu and Chi-Jan Huang;Draft manuscript preparation: Yi-Li Huang and Fang-Yie Leu;Analysis and interpretation of results:Ruey-Kai Sheu and Jung-Chun Liu;Theorem derivation and proofs:Yi-Li Huang and Jung-Chun Liu.

Availability of Data and Materials:A part of the data adopted in this study is articles randomly collected from the Internet.The remaining part is a company’s personnel data.For privacy consideration,the personnel data cannot be accessed without this company’s permission.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.