International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On the Security of Joint Signature and Encryption

Authors:
Jee Hea An
Yevgeniy Dodis
Tal Rabin
Download:
URL: http://eprint.iacr.org/2002/046
Search ePrint
Search Google
Abstract: We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as {\em signcryption}, adapting the terminology of Zheng [Zhe97]. We present wo definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [BN00,Kra01] might lead one to expect, we show that classical ``encrypt-then-sign'' (EtS) and ``sign-then-encrypt'' (StE) methods are both {\em secure} composition methods in the public-key setting. We also present a new composition method which we call ``commit-then-encrypt-and-sign'' (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations {\em in parallel}, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent ``hash-sign-switch'' technique of Shamir and Tauman [ST01], leading to efficient {\em on-line/off-line} signcryption. Finally and of independent interest, we discuss the {\em definitional} inadequacy of the standard notion of chosen ciphertext (CAA) security. Motivated by our applications to signcryption, we show that the notion of CAA-security is syntactically ill-defined, and leads to artificial examples of ``secure'' encryption schemes which do not meet the formal definition of CCA-security. We suggest a natural and very slight relaxation of CAA-security, which we call generalized CCA-security (gCCA). We show that gCCA-security suffices for all known uses of CCA-secure encryption, while no longer suffering from the definitional shortcomings of the latter.
BibTeX
@misc{eprint-2002-11570,
  title={On the Security of Joint Signature and Encryption},
  booktitle={IACR Eprint archive},
  keywords={public-key cryptography / signcryption, authenticated encryption, privacy, authenticity, chosen ciphertext security, commitment schemes},
  url={http://eprint.iacr.org/2002/046},
  note={Eurocrypt 2002 dodis@cs.nyu.edu 11856 received 12 Apr 2002, last revised 17 Jun 2002},
  author={Jee Hea An and Yevgeniy Dodis and Tal Rabin},
  year=2002
}