The pairs {w|s} sufficient for the security of PbPS are called *universal two-padding schemes*. Using one round of the Feistel transform, we give a very general construction of such schemes. Interestingly, we notice that all popular padding schemes with message recovery used for plain signature or encryption, such as OAEP, OAEP+, PSS-R, and ``scramble all, encrypt small'', naturally consist of two pieces {w|s}. Quite remarkably, we show that all such pairs become special cases of our construction. As a result, we find a natural generalization of all conventional padding schemes, and show that any such padding can be used for signcryption with PbPS. However, none of such paddings gives optimal message bandwidth. For that purpose and of independent interest, we define a new ``hybrid'' between PSS-R and OAEP, which we call *Probabilistic Signature-Encryption Padding* (PSEP). We recommend using PbPS with PSEP to achieve the most flexible and secure signcryption scheme up-to-date. To justify this point, we provide a detailed practical comparison of PbPS/PSEP with other previously-proposed signcryption candidates.
Category / Keywords: public-key cryptography / universal padding schemes, signcryption, joint signature and encryption, authenticated encryption, Feistel Transform, OAEP, PSS-R, extractable commitment Date: received 12 Mar 2003, last revised 10 Apr 2003, withdrawn 1 Feb 2004 Contact author: dodis at cs nyu edu Available formats: (-- withdrawn --) Note: This report is completely superceded by E-Print report 2004/020: http://eprint.iacr.org/2004/020 Version: 20040201:191729 (All versions of this report) Discussion forum: Show discussion | Start new discussion