Cryptology ePrint Archive: Report 2013/230

Relations among Privacy Notions for Signcryption and Key Invisible "Sign-then-Encrypt''

Yang Wang and Mark Manulis and Man Ho Au and Willy Susilo

Abstract: Signcryption simultaneously offers authentication through unforgeability and confidentiality through indistinguishability against chosen ciphertext attacks by combining the functionality of digital signatures and public-key encryption into a single operation. Libert and Quisquater (PKC 2004) extended this set of basic requirements with the notions of ciphertext anonymity (or key privacy) and key invisibility to protect the identities of signcryption users and were able to prove that key invisibility implies ciphertext anonymity by imposing certain conditions on the underlying signcryption scheme.

This paper revisits the relationship amongst privacy notions for signcryption. We prove that key invisibility implies ciphertext anonymity without any additional restrictions. More surprisingly, we prove that key invisibility also implies indistinguishability against chosen ciphertext attacks. This places key invisibility on the top of privacy hierarchy for public-key signcryption schemes.

On the constructive side, we show that general ``sign-then-encrypt'' approach offers key invisibility if the underlying encryption scheme satisfies two existing security notions, indistinguishable against adaptive chosen ciphertext attacks and indistinguishability of keys against adaptive chosen ciphertext attacks. By this method we obtain the first key invisible signcryption construction in the standard model.

Category / Keywords: public-key cryptography / signcryption

Publication Info: This is a full version of the paper that will appear in ACISP 2013

Date: received 20 Apr 2013, last revised 20 Apr 2013

Contact author: yw990 at uowmail edu au

Available format(s): PDF | BibTeX Citation

Version: 20130429:111205 (All versions of this report)

Short URL: ia.cr/2013/230

Discussion forum: Show discussion | Start new discussion