### On the Security of Joint Signature and Encryption

Jee Hea An, Yevgeniy Dodis, and Tal Rabin

##### Abstract

We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as {\em signcryption}, adapting the terminology of Zheng [Zhe97]. We present wo definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [BN00,Kra01] might lead one to expect, we show that classical encrypt-then-sign'' (EtS) and sign-then-encrypt'' (StE) methods are both {\em secure} composition methods in the public-key setting. We also present a new composition method which we call commit-then-encrypt-and-sign'' (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations {\em in parallel}, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent hash-sign-switch'' technique of Shamir and Tauman [ST01], leading to efficient {\em on-line/off-line} signcryption. Finally and of independent interest, we discuss the {\em definitional} inadequacy of the standard notion of chosen ciphertext (CAA) security. Motivated by our applications to signcryption, we show that the notion of CAA-security is syntactically ill-defined, and leads to artificial examples of secure'' encryption schemes which do not meet the formal definition of CCA-security. We suggest a natural and very slight relaxation of CAA-security, which we call generalized CCA-security (gCCA). We show that gCCA-security suffices for all known uses of CCA-secure encryption, while no longer suffering from the definitional shortcomings of the latter.

Available format(s)
Category
Public-key cryptography
Publication info
Published elsewhere. Eurocrypt 2002
Keywords
signcryptionauthenticated encryptionprivacyauthenticitychosen ciphertext securitycommitment schemes
Contact author(s)
dodis @ cs nyu edu
History
2002-06-18: last of 3 revisions
See all versions
Short URL
https://ia.cr/2002/046

CC BY

BibTeX

@misc{cryptoeprint:2002/046,
author = {Jee Hea An and Yevgeniy Dodis and Tal Rabin},
title = {On the Security of Joint Signature and Encryption},
howpublished = {Cryptology ePrint Archive, Paper 2002/046},
year = {2002},
note = {\url{https://eprint.iacr.org/2002/046}},
url = {https://eprint.iacr.org/2002/046}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.