Paper 2002/046
On the Security of Joint Signature and Encryption
Jee Hea An, Yevgeniy Dodis, and Tal Rabin
Abstract
We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as {\em signcryption}, adapting the terminology of Zheng [Zhe97]. We present wo definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [BN00,Kra01] might lead one to expect, we show that classical ``encrypt-then-sign'' (EtS) and ``sign-then-encrypt'' (StE) methods are both {\em secure} composition methods in the public-key setting. We also present a new composition method which we call ``commit-then-encrypt-and-sign'' (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations {\em in parallel}, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent ``hash-sign-switch'' technique of Shamir and Tauman [ST01], leading to efficient {\em on-line/off-line} signcryption. Finally and of independent interest, we discuss the {\em definitional} inadequacy of the standard notion of chosen ciphertext (CAA) security. Motivated by our applications to signcryption, we show that the notion of CAA-security is syntactically ill-defined, and leads to artificial examples of ``secure'' encryption schemes which do not meet the formal definition of CCA-security. We suggest a natural and very slight relaxation of CAA-security, which we call generalized CCA-security (gCCA). We show that gCCA-security suffices for all known uses of CCA-secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Metadata
- Available format(s)
- PDF PS
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Eurocrypt 2002
- Keywords
- signcryptionauthenticated encryptionprivacyauthenticitychosen ciphertext securitycommitment schemes
- Contact author(s)
- dodis @ cs nyu edu
- History
- 2002-06-18: last of 3 revisions
- 2002-04-12: received
- See all versions
- Short URL
- https://ia.cr/2002/046
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2002/046, author = {Jee Hea An and Yevgeniy Dodis and Tal Rabin}, title = {On the Security of Joint Signature and Encryption}, howpublished = {Cryptology {ePrint} Archive, Paper 2002/046}, year = {2002}, url = {https://eprint.iacr.org/2002/046} }