## Cryptology ePrint Archive: Report 2002/046

On the Security of Joint Signature and Encryption

Jee Hea An and Yevgeniy Dodis and Tal Rabin

Abstract: We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as {\em signcryption}, adapting the terminology of Zheng [Zhe97]. We present wo definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [BN00,Kra01] might lead one to expect, we show that classical encrypt-then-sign'' (EtS) and sign-then-encrypt'' (StE) methods are both {\em secure} composition methods in the public-key setting.

We also present a new composition method which we call commit-then-encrypt-and-sign'' (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations {\em in parallel}, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent hash-sign-switch'' technique of Shamir and Tauman [ST01], leading to efficient {\em on-line/off-line} signcryption.

Finally and of independent interest, we discuss the {\em definitional} inadequacy of the standard notion of chosen ciphertext (CAA) security. Motivated by our applications to signcryption, we show that the notion of CAA-security is syntactically ill-defined, and leads to artificial examples of secure'' encryption schemes which do not meet the formal definition of CCA-security. We suggest a natural and very slight relaxation of CAA-security, which we call generalized CCA-security (gCCA). We show that gCCA-security suffices for all known uses of CCA-secure encryption, while no longer suffering from the definitional shortcomings of the latter.

Category / Keywords: public-key cryptography / signcryption, authenticated encryption, privacy, authenticity, chosen ciphertext security, commitment schemes

Publication Info: Eurocrypt 2002

Date: received 12 Apr 2002, last revised 17 Jun 2002

Contact author: dodis at cs nyu edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

[ Cryptology ePrint archive ]