Cryptology ePrint Archive: Report 2003/254
Committing Encryption and Publicly-Verifiable SignCryption
Yitchak Gertner and Amir Herzberg
Abstract: Encryption is often conceived as a committing process, in the sense that the ciphertext may serve as a commitment to the plaintext. But this does not follow from the standard definitions of secure encryption.
We define and construct symmetric and asymmetric committing encryption schemes, enabling publicly verifiable non-repudiation. Committing encryption eliminates key-spoofing attacks and has also the robustness to be signed afterwards. Our constructions are very efficient and practical. In particular, we show that most popular asymmetric encryption schemes, e.g. RSA, are committing encryption schemes; we also have an (efficient) construction given an arbitrary asymmetric encryption scheme. Our construction of symmetric committing encryption retains the efficiency of the symmetric encryption for real-time operations, although it uses few public key signatures in the setup phase.
Finally, we investigate how to achieve both confidentiality and non-repudiation, and present a publicly verifiable signcryption scheme. Contrary to previous signcryption schemes, which are not publicly verifiable, our publicly verifiable signcryption supports non-repudiation. We construct a simple and efficient publicly verifiable signcryption scheme based on a new composition method which we call “commit-encrypt-then-sign” (CEtS) that preserves security properties of both committing encryption and digital signature schemes.
Category / Keywords: foundations / Encryption, Commitment, Key-spoofing attack, Committing Encryption, Signcryption, Non-repudiation, digital signatures
Date: received 17 Dec 2003
Contact author: amir at herzberg name
Available format(s): PDF | BibTeX Citation
Note: This is draft of journal version of this work; we are working towards submitting it and therefore your timely feedback is highly appreciated.
Version: 20031218:185624 (All versions of this report)
Short URL: ia.cr/2003/254
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]