We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of . We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthen-sign” (EtS) and “sign-then-encrypt” (StE) methods are both secure composition methods in the public-key setting.
We also present a new composition method which we call “commit-then-encrypt-and-sign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new (CtE&S) method elegantly combines with the recent “hash-sign-switch” technique of , leading to efficient on-line /off-line signcryption.
Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-security (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering from the definitional shortcomings of the latter.
- Encryption Scheme
- Signature Scheme
- Commitment Scheme
- Joint Signature
- Symmetric Setting
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
J. An and M. Bellare, “Does encryption with redundancy provide authenticity?,” In Eurocrypt’ 01, pp. 512–528, LNCS Vol. 2045.
J. An and Y. Dodis, “Secure integration of symmetric-and public-key authenticated encryption.” Manuscript, 2002.
J. Baek, R. Steinfeld, and Y. Zheng, “Formal proofs for the security of signcryption,” In PKC’ 02, 2002.
M. Bellare, A. Desai, D. Pointcheval and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” In Crypto’ 98, LNCS Vol. 1462.
M. Bellare and C. Namprempre, “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm,” In Asiacrypt’ 00, LNCS Vol. 1976.
M. Bellare, P. Rogaway, “Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography,” In Asiacrypt’ 00, LNCS Vol 1976.
G. Brassard, D. Chaum, and C. Crépeau, “Minimum disclosure proofs of knowledge,” JCSS, 37(2):156–189, 1988.
R. Canetti, “Universally Composable Security: A New Paradigm for Cryptographic Protocols,” In Proc. 42st FOCS, pp. 136–145. IEEE, 2001.
R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels,” In Eurocrypt’ 01, pp. 453–474, LNCS Vol. 2045.
D. Chaum and H. Van Antwerpen, “Undeniable signatures,” In Crypto’ 89, pp. 212–217, LNCS Vol. 435.
I. Damgård, T. Pedersen, and B. Pfitzmann, “On the existence of statistically hiding bit commitment schemes and fail-stop signatures,” In Crypto’ 93, LNCS Vol. 773.
G. Di Crescenzo, J. Katz, R. Ostrovsky, and A. Smith, “Efficient and Non-interactive Non-malleable Commitment,” In Eurocrypt’ 01, pp. 40–59, LNCS Vol. 2045.
D. Dolev, C. Dwork and M. Naor, “Non-malleable cryptography,” In Proc. 23rd STOC, ACM, 1991.
S. Even, O. Goldreich, and S. Micali, “On-Line/Off-Line Digital Schemes,” In Crypto’ 89, pp. 263–275, LNCS Vol. 435.
E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,” In Crypto’ 99, pp. 537–554, 1999, LNCS Vol. 1666.
S. Goldwasser and S. Micali, “Probabilistic encryption,” JCSS, 28(2):270–299, April 1984.
S. Goldwasser, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SI AM J. Computing, 17(2):281–308, April 1988.
S. Halevi and S. Micali, “Practical and provably-secure commitment schemes from collision-free hashing,” In Crypto’ 96, pp. 201–215, 1996, LNCS Vol. 1109.
W. He and T. Wu, “Cryptanalysis and Improvement of Petersen-Michels Signcryption Schemes,” IEE Computers and Digital Communications, 146(2):123–124, 1999.
C. Jutla, “Encryption modes with almost free message integrity,” In Eurocrypt’ 01, pp. 529–544, LNCS Vol. 2045.
J. Katz and M. Yung, “Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation,” In FSE’ 00, pp. 284–299, LNCS Vol. 1978.
H. Krawczyk, “The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?),” In Crypto’ 01, pp. 310–331, LNCS Vol. 2139.
H. Krawczyk and T. Rabin, “Chameleon Signatures,” In NDSS’ 00, pp. 143–154, 2000.
M. Naor and M. Yung, “Universal One-Way Hash Functions and their Cryptographic Applications,” In Proc. 21st STOC, pp. 33–43, ACM, 1989.
T. Okamoto and D. Pointcheval, “React: Rapid enhanced-security asymmetric cryptosystem transform,” In CT-RSA’ 01, pp. 159–175, 2001, LNCS Vol. 2020.
H. Petersen and M. Michels, “Cryptanalysis and Improvement of Signcryption Schemes,” IEE Computers and Digital Communications, 145(2):149–151, 1998.
C. Rackoff and D. Simon, “Non-Interactive zero-knowledge proof of knowledge and chosen ciphertext attack,” In Crypto’ 91, LNCS Vol. 576.
P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption,” In Proc. 8th CCS, ACM, 2001.
C. Schnorr and M. Jakobsson, “Security of Signed ElGamal Encryption,” In Asiacrypt’ 00, pp. 73–89, LNCS Vol. 1976.
A. Shamir and Y. Tauman, “Improved Online/Offline Signature Schemes,” In Crypto’ 01, pp. 355–367, LNCS Vol. 2139.
V. Shoup, “On Formal Models for Secure Key Exchange,” Technical Report RZ 3120, IBM Research, 1999.
V. Shoup, “A proposal for an ISO standard for public key encryption (version 2.1),” Manuscript, Dec. 20, 2001.
D. Simon, “Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions?,” In Eurocrypt’ 98, pp. 334–345, LNCS Vol. 1403.
Y. Tsiounis and M. Yung, “On the Security of ElGamal Based Encryption,” In PKC’ 98, pp. 117–134, LNCS Vol. 1431.
Y. Zheng, “Digital Signcryption or How to Achieve Cost (Signature & Encryption) ≪ Cost (Signature) + Cost (Encryption),” In Crypto’ 97, pp. 165–179, 1997, LNCS Vol. 1294.
Y. Zheng and H. Imai, “Efficient Signcryption Schemes on Elliptic Curves,” Information Processing Letters, 68(5):227–233, December 1998.
Editors and Affiliations
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
An, J.H., Dodis, Y., Rabin, T. (2002). On the Security of Joint Signature and Encryption. In: Knudsen, L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46035-7_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43553-2
Online ISBN: 978-3-540-46035-0
eBook Packages: Springer Book Archive