[Resource Topic] 2002/046: On the Security of Joint Signature and Encryption

Welcome to the resource topic for 2002/046

Title:
On the Security of Joint Signature and Encryption

Authors: Jee Hea An, Yevgeniy Dodis, Tal Rabin

Abstract:

We formally study the notion of a joint signature and encryption in
the public-key setting. We refer to this primitive as {\em
signcryption}, adapting the terminology of Zheng [Zhe97]. We present
wo definitions for the security of signcryption depending on whether
the adversary is an outsider or a legal user of the system. We then
examine generic sequential composition methods of building
signcryption from a signature and encryption scheme. Contrary to
what recent results in the symmetric setting [BN00,Kra01] might
lead one to expect, we show that classical encrypt-then-sign'' (EtS) and sign-then-encrypt’’ (StE) methods are both {\em secure}
composition methods in the public-key setting.

We also present a new composition method which we call
commit-then-encrypt-and-sign'' (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations {\em in parallel}, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent hash-sign-switch’’ technique of Shamir and Tauman [ST01],
leading to efficient {\em on-line/off-line} signcryption.

Finally and of independent interest, we discuss the {\em definitional}
inadequacy of the standard notion of chosen ciphertext (CAA)
security. Motivated by our applications to signcryption, we show
that the notion of CAA-security is syntactically ill-defined, and
leads to artificial examples of ``secure’’ encryption schemes which
do not meet the formal definition of CCA-security. We suggest a
natural and very slight relaxation of CAA-security, which we call
generalized CCA-security (gCCA). We show that gCCA-security suffices
for all known uses of CCA-secure encryption, while no longer
suffering from the definitional shortcomings of the latter.

ePrint: https://eprint.iacr.org/2002/046

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .