Digital Signcryption: Clayton D. Smith
Digital Signcryption: Clayton D. Smith
Digital Signcryption: Clayton D. Smith
by
Clayton D. Smith
A thesis
presented to the University of Waterloo
in fullment of the
thesis requirement for the degree of
Master of Mathematics
in
Combinatorics and Optimization
Waterloo, Ontario, Canada, 2005
c _Clayton D. Smith 2005
I hereby declare that I am the sole author of this thesis. This is a true
copy of the thesis, including any required nal revisions, as accepted by my
examiners.
I understand that my thesis may be made electronically available to the
public.
ii
Abstract
Signcryption is a new cryptographic primitive which simultaneously provides
both condentiality and authenticity. Previously, these two goals had been
considered separately, with encryption schemes providing condentiality and
signature schemes providing authenticity. In cases where both were required,
the encryption and signature operations were simply sequentially composed.
In 1997, Zheng demonstrated that by combining both goals into a single
primitive, it is possible to achieve signicant savings both in computational
and communication overhead. Since then, a wide variety of signcryption
schemes have been proposed.
In this thesis, we present a number of the proposed signcryption schemes
in terms of a common framework. For the most part, the material has been
previously presented in various research papers, but some previously omitted
proofs have been lled in here. We begin by giving a formal denition of
the signcryption primitive, complete with a security model. Then we look
at some of the various proposed signcryption schemes, and consider their
relative advantages and disadvantages. Finally, we look ahead at what future
progress might be made in the eld.
iii
Acknowledgements
I would like to thank my supervisor, Edlyn Teske, for proposing the topic
of signcryption, as well as providing numerous comments, suggestions, and
corrections during the writing of this thesis. I would also like to thank
Yevgeniy Dodis for his very prompt response to my questions regarding his
paper. Finally, I would like to thank my readers, Alfred Menezes and Doug
Stinson, for their valuable comments and corrections.
iv
Contents
1 Introduction 1
1.1 What is Signcryption? . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Properties of Signcryption Schemes 5
2.1 Condentiality and Authenticity . . . . . . . . . . . . . . . . 5
2.2 Non-repudiation and Signature Veriability . . . . . . . . . . 5
2.3 Forward Secrecy and Past Recovery . . . . . . . . . . . . . . 6
3 Security Models and Generic Constructions 9
3.1 Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Signcryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3.3 The Multi-User Setting . . . . . . . . . . . . . . . . . 17
3.4 Encrypt-then-Sign and Sign-then-Encrypt . . . . . . . . . . . 20
3.5 Encrypt-and-Sign . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6 Improvements on Encrypt-and-Sign . . . . . . . . . . . . . . . 28
4 Signcryption in the Discrete Logarithm Setting 29
4.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Zhengs Original Scheme . . . . . . . . . . . . . . . . . . . . . 30
4.3 Adding Non-Repudiation . . . . . . . . . . . . . . . . . . . . 33
v
4.4 A DSA-Veriable Scheme . . . . . . . . . . . . . . . . . . . . 35
5 Signcryption from Trapdoor Permutations 41
5.1 Trapdoor Permutation Families . . . . . . . . . . . . . . . . . 41
5.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2 Cryptography from Trapdoor Permutations . . . . . . . . . . 43
5.3 Properties of PSEP2 . . . . . . . . . . . . . . . . . . . . . . . 48
6 Comparison 49
6.1 Cost of Signcryption . . . . . . . . . . . . . . . . . . . . . . . 49
6.2 Comparison Charts . . . . . . . . . . . . . . . . . . . . . . . . 51
7 Conclusions 55
7.1 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.2 Directions for Future Research . . . . . . . . . . . . . . . . . 55
Bibliography 57
vi
List of Tables
6.1 Security Comparison . . . . . . . . . . . . . . . . . . . . . . . 52
6.2 Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . 52
vii
Chapter 1
Introduction
1.1 What is Signcryption?
Of the many goals which the study of cryptography sets out to achieve,
the most important and widely studied are condentiality and authenticity.
Traditionally, these two goals have been studied separately. In the case of
public-key cryptography, condentiality is provided by encryption schemes,
while authenticity is provided by signature schemes.
In many applications, both condentiality and authenticity are needed
together. Such applications include secure email (S/MIME), secure shell
(SSH), and secure web browsing (HTTPS). Until recently, the de facto solu-
tion was to use both an encryption scheme and a signature scheme, typically
by sequentially composing the encryption and signature operations. This
state of aairs changed in 1997, when Zheng [15] proposed using a single
cryptographic primitive to achieve both condentiality and authenticity. He
called this primitive signcryption.
At rst glance, it is not clear why there should be any advantage to
lumping both goals into a single primitive. However, Zheng and others have
demonstrated, through concrete examples, that signcryption schemes can
provide clear benets over the traditional sequential composition of encryp-
tion and signature schemes. For example:
It is possible to create signcryption schemes which are more ecient, in
terms of computational complexity and/or communication overhead,
than the sequential composition of signature and encryption schemes.
We will see concrete examples of such schemes in Chapters 4 and 5.
Many signcryption schemes require only a single key pair for each user,
1
while the traditional approach requires two: one for encrypting and
one for signing.
Some signcryption schemes allow expensive cryptographic operations
to be parallelized.
In its most basic form, the sequential composition of signature and
encryption schemes yields only a weakly secure signcryption scheme, as
we shall see in Chapter 3. With some slight modications, it is possible
to achieve a much stronger level of security. This example suggests that
it is worthwhile to work inside the framework of signcryption whenever
both authenticity and condentiality are required.
The availability of a signcryption primitive can simplify the design
of cryptographic protocols which require both authenticity and con-
dentiality. For example, Dodis et al. [5] have given a very simple
signcryption-based authenticated key-exchange protocol.
It is clear from this list that signcryption is a topic worthy of further study,
and that it should be considered whenever designing systems that require
both condentiality and authenticity.
1.2 Outline
We begin in Chapter 2 by considering what properties every signcryption
scheme should have, and what additional properties would be desirable.
In Chapter 3 we give a formal denition of signcryption, complete with a
security model. We also look at several signcryption schemes which can
be built from plain encryption and signature schemes. In Chapter 4 we
explore a variety of signcryption schemes based on the discrete logarithm
problem. In Chapter 5 we do the same for schemes based on trapdoor one-
way permutations. In Chapter 6 we compare the various schemes presented
in previous chapters, and we conclude in Chapter 7.
1.3 Scope
Since a great deal of research has already been done in the eld of signcryp-
tion, it is impossible to cover the entire eld here. The signcryption schemes
which are presented here certainly do not constitute an exhaustive list, but
instead are intended to give an overview of the various research directions
which have been explored so far.
2
The material presented here is, for the most part, a unied presentation
of existing work. However, some new material is presented, mainly in the
form of proofs which were omitted from the original research papers. These
proofs are indicated as such where they appear.
A few veins of research are explicitly not considered here. The most
notable is identity-based signcryption, which is an adaptation of identity-
based encryption to the case of signcryption. Interested readers should begin
with the paper of Malone-Lee [7].
3
Chapter 2
Properties of Signcryption
Schemes
In this chapter, we take an informal look at the most important properties of
signcryption schemes, and explain their connection to the formal denition
of signcryption, which will be presented in Chapter 3.
2.1 Condentiality and Authenticity
At the very least, we would expect a signcryption scheme to achieve the
basic goals of encryption and signature schemes, namely condentiality and
authenticity.
By condentiality, we mean that only the intended recipient of a sign-
crypted message should be able to read its contents. That is, upon seeing
a signcrypted message, an attacker should learn nothing about the original
message, other than perhaps its length.
By authenticity, we mean that the recipient of a signcrypted message
can verify the senders identity. That is, an attacker should not be able to
send a message, claiming to be someone else.
It is these two properties which we require of all signcryption schemes.
They will form the security portion of the formal denition of signcryption.
2.2 Non-repudiation and Signature Veriability
By non-repudiation, we mean that the sender of a message cannot later deny
having sent the message. That is, the recipient of a message can prove to a
third party that the sender indeed sent the message.
5
Note that signature schemes always provide non-repudiation, since any-
one can verify a signature using only the senders public key. That is, the
recipient of a signed message need only forward it to a third party, who can
then verify the senders signature. This is not the case for signcryption,
since the condentiality property implies that only the recipient should be
able to read the contents of a signcrypted message sent to him. However, it
is possible to achieve non-repudiation by other means.
An, Dodis, and Rabin [1] argue that non-repudiation should not be in-
cluded in the denition of signcryption, since there are some cases where it
is explicitly undesirable. For example, Krawczyk and Rabin [6] have pro-
posed chameleon signature schemes, in which only the intended recipient of
a message can verify its authenticity. To allow such possibilities also in the
case of signcryption, we will not include non-repudiation in our denition.
However, when discussing the various proposed signcryption schemes, we
indicate which of them provide non-repudiation.
Among those signcryption schemes which provide non-repudiation, some
provide it in the following way: The recipient of a signcrypted message
recovers the original message m, along with a signature s of that message
under some signature scheme o, and provides (m, s) to the verier, who
veries the senders signature using o. Such a signcryption scheme is called
o-veriable, since the verier uses only the signature scheme o. This term
was introduced by Shin, Lee, and Shim [14], who proposed the rst DSA-
veriable signcryption scheme.
o-veriable signcryption schemes are especially desirable if o is a com-
monly used signature scheme, as is the case with DSA. We will indicate
which of the proposed signcryption schemes are o-veriable, and under
which signature scheme o.
2.3 Forward Secrecy and Past Recovery
By forward secrecy, we mean that an attacker cannot read signcrypted mes-
sages, even with access to the senders private key. That is, the conden-
tiality of signcrypted messages is protected, even if the senders private key
is compromised.
On the other hand, the sender of a signcrypted message may later want
to recover its contents. The sender could simply store a copy of the original
message, but this would require additional storage and could be a security
risk. Some signcryption schemes oer a better alternative; they allow the
sender to use his private key to recover the original message from the cipher-
6
text. (Note that traditional encryption schemes do not oer this possibility,
since the senders key pair is not involved in the encryption process.) Those
signcryption schemes which oer this possibility are said to provide past
recovery. This property was rst considered by Zheng [15], whose original
signcryption scheme provides it.
Clearly forward secrecy and past recovery are mutually exclusive. Thus
schemes which provide past recovery should be used with care, since the
advantage of past recovery comes at the cost of losing forward secrecy. We
will leave enough exibility in our security model to allow for both forward
secrecy and past recovery. We will indicate which of them is provided by
each of the proposed signcryption schemes.
7
Chapter 3
Security Models and Generic
Constructions
In this chapter, we present the formal denition and security model for
signcryption given by An, Dodis, and Rabin [1]. Their model is closely
related to the security models for encryption and signature schemes, which
we also present. We then present several signcryption schemes which are
provably secure under their model. These constructions are generic, in the
sense that they can be built from any encryption and signature schemes
satisfying certain security requirements.
3.1 Encryption Schemes
3.1.1 Syntax
An encryption scheme is a triple of algorithms c = (Enc-KeyGen, Enc, Dec):
Enc-KeyGen is a randomized algorithm which accepts 1
k
, where k is a
security parameter
1
, and outputs a key pair (EK, DK). EK is the en-
cryption key, which is made public. DK is the decryption key, which is
kept secret. This operation is denoted by (EK, DK) Enc-KeyGen(1
k
).
Enc is a randomized algorithm which accepts an encryption key EK and
a message m, and outputs a ciphertext c. This operation is denoted
1
In this context, 1
k
denotes a string of k ones. The algorithms Enc-KeyGen, Enc, and
Dec must run in polynomial time with respect to the length of this parameter, i.e. |1
k
| = k.
We will also use k later in the denition of security.
9
by c Enc
EK
(m), or simply c Enc(m) if it is clear which encryption
key is being used.
Dec is a deterministic algorithm which accepts a decryption key DK
and a ciphertext c, and outputs a message m, or the special symbol
in the case of an invalid ciphertext. This operation is denoted by
m Dec
EK
(c), or simply m Dec(c) if it is clear which decryption
key is being used.
We require that Dec
DK
(Enc
EK
(m)) = m for all m, and for all key pairs
(EK, DK) generated by Enc-KeyGen.
3.1.2 Security
To dene the security of an encryption scheme, we must specify two things:
the goal of the adversary, and the capabilities given to the adversary. The
highest level of security is provided when an adversary is unable to achieve
even the weakest goal, when given the strongest capabilities.
We will always dene the goal of the adversary in terms of a game which
the adversary attempts to win. Steps which the adversary must perform
will be written in the form
(o
1
, . . . , o
m
) /(i
1
, . . . , i
n
)
where / is the adversary, (i
1
, . . . , i
n
) are the inputs given to it, and (o
1
, . . .,
o
m
) are the outputs it returns. Unless otherwise stated, the adversary only
has access to the information which is passed to it as input.
In the case of encryption, we will take the goal of the adversary to be
distinguishing ciphertexts. The game played by the adversary consists of
two stages. First the adversary is given the encryption key from a fresh
key pair, and must select two messages m
0
and m
1
of equal length (the nd
stage). Then one of the messages is chosen at random and encrypted, and
the adversary must correctly determine which one was encrypted (the guess
stage). The formal denition of this game is as follows:
1. (EK, DK) Enc-KeyGen(1
k
)
2. (m
0
, m
1
, ) /(EK, nd)
3. b
R
0, 1
4. c Enc(m
b
)
5.
b /(c, , guess).
10
/ wins in the case that b =
b. The adversary is permitted to store some
state information between the nd and guess stages.
Of course, /could win this game with probability 1/2 by simply choosing
,
SigEnc takes as input a message m, and two identities ID
A
and ID
B
. After
checking that ID
A
= ID
A
, SigEnc then signcrypts the message m using
SDK
A
and VEK
B
, and outputs (u, ID
A
, ID
B
). This operation is denoted
by (u, ID
A
, ID
B
) SigEnc
A
(m, ID
A
, ID
B
). When describing signcryption
schemes, we typically omit the identity verication step, and simply write
u SigEnc(m, ID
A
, ID
B
).
For a given user B who has received a ciphertext from some user A
,
VerDec takes as input a ciphertext u, and two identities ID
A
and ID
B
. After
checking that ID
B
= ID
B
, VerDec then de-signcrypts the ciphertext u using
VEK
A
and SDK
B
. This operation is denoted by m VerDec
B
(u, ID
A
, ID
B
).
Once again, the identity verication step is typically omitted, and we simply
write m VerDec(m, ID
A
, ID
B
).
Security
As in the two-user setting, we distinguish between outsider and insider se-
curity. In both cases, we dene security as in the two-user setting, but with
a few small modications.
In the outsider security model, when attacking communication between
a pair of users A and B, we assume that the adversary / has access to
the private keys of all users other than A and B. As in the two-user set-
ting, we give / oracle access to As signcryption functionality and Bs de-
signcryption functionality. However, we make the oracles somewhat more
exible in the multi-user setting, by allowing / to select any recipient (not
necessarily B) when calling the signcryption oracle, and any sender (not nec-
essarily A) when calling the de-signcryption oracle. That is, / has oracle
access to SigEnc(, ID
A
, ) and VerDec(, , ID
B
).
To break the UF-CMA-security, / must produce a valid signcryption
(u, ID
A
, ID
B
) of a message m, without asking the signcryption oracle to sign-
crypt (m, ID
A
, ID
B
). Note, however, that / may request the signcryption of
(m, ID
A
, ID
B
) for some B
, without querying
its signcryption oracle with (m, ID
A
, ID
B
). As before, it may make the query
(m, ID
A
, ID
B
) for some B
,= B
,= A
as it pleases.
Once again, we can dene the IND-gCCA2 security level for conden-
tiality, and the sUF-CMA security level for authenticity. In the case of
IND-gCCA2 security, the relation must take into account the identities
of the sender and recipient to be decryption-respecting. Specically, we
must have (u
1
, u
2
) = true only if u
1
and u
2
are both signcryptions of the
same message, with the same sender and recipient.
3.4 Encrypt-then-Sign and Sign-then-Encrypt
Prior to Zhengs work [15], the usual way to provide both condentiality and
authenticity was to sequentially compose encryption and signature schemes.
This can be done in two ways: encrypt-then-sign (cto), and sign-then-
encrypt (otc).
To verify that our denition of signcryption is a good one, it is worth-
while to start by checking whether these two constructions are secure as
signcryption schemes. We begin by dening cto and otc in the two-user
setting, and then adapt the denitions to provide security in the multi-user
setting.
Denition 3.2 (Encrypt-then-sign). Given an encryption scheme c and
a signature scheme o, we dene the two-user signcryption scheme cto as
follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
20
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc
SDK
A
,VEK
B
(m):
1. e Enc
EK
B
(m)
2. s Sig
SK
A
(e)
3. Return (e, s).
VerDec
VEK
A
,SDK
B
(e, s):
1. a Ver
VK
A
(e, s)
2. If a = succeed return m Dec
DK
B
(e) else return .
Denition 3.3 (Sign-then-encrypt). Given an encryption scheme c and
a signature scheme o, we dene the two-user signcryption scheme otc as
follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc
SDK
A
,VEK
B
(m):
1. s Sig
SK
A
(m)
2. Return u Enc
EK
B
(m[[s).
VerDec
VEK
A
,SDK
B
(u):
1. m[[s Dec
DK
B
(u)
2. If Ver
VK
A
(m, s) = succeed return m else return .
Theorem 3.4. Suppose that c is an IND-gCCA2-secure encryption scheme,
and that o is a UF-CMA-secure signature scheme. Then cto and otc are
insider-secure against IND-gCCA2 attacks on condentiality, and against
UF-CMA attacks on authenticity, in the two-user setting.
The proof is given in An, Dodis, and Rabin [1]. We omit it here, and
instead we give the proofs for the corresponding theorems in the multi-user
setting.
Now we consider how to adapt cto and otc to the multi-user setting.
Note that the current denitions cannot be left unchanged, since they are in-
secure even against outsider attacks in the multi-user setting. In the case of
cto an adversary can distinguish between ciphertexts from A to B by remov-
ing As signature s from the challenge ciphertext u = (e, s), and replacing it
with the signature s
)
21
using its de-signcryption oracle, revealing the message. In the case of otc
an adversary can forge a message from A to B by choosing some message
m, requesting u
SigEnc(m, ID
A
, ID
B
) for some other user B
, then de-
crypting u
as follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc(m, ID
A
, ID
B
):
1. e Enc
EK
B
(m[[ID
A
)
2. s Sig
SK
A
(e[[ID
B
)
3. Return (e, s).
VerDec(e, s, ID
A
, ID
B
):
1. If Ver
VK
A
(e[[ID
B
, s) = fail return .
2. m[[ID
A
Dec
DK
B
(e)
3. If ID
A
= ID
A
return m else return .
Denition 3.6 (Multi-user sign-then-encrypt). Given an encryption
scheme c and a signature scheme o, we dene the multi-user signcryption
scheme otc
as follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc(m, ID
A
, ID
B
):
1. s Sig
SK
A
(m[[ID
B
)
2. Return u Enc
EK
B
(m[[s[[ID
A
).
22
VerDec(u, ID
A
, ID
B
):
1. m[[s[[ID
A
Dec
DK
B
(u)
2. If ID
A
,= ID
A
return .
3. If Ver
VK
A
(m[[ID
B
, s) = succeed return m else return .
These new multi-user versions are indeed secure in the insider security
model, as demonstrated by the following theorems. The proofs presented
here are the original work of the author.
Theorem 3.7. Suppose that c is an IND-gCCA2-secure encryption scheme,
and that o is a UF-CMA-secure signature scheme. Then cto
is insider-
secure against IND-gCCA2 attacks on condentiality, and against UF-CMA
attacks on authenticity, in the multi-user setting.
Proof. Condentiality: Since we are dealing with IND-gCCA2 security,
we must rst deal with the issue of equivalence relations. Let
E
be the
relation with respect to which c is IND-CCA2-secure, and for cto
dene
EtS
((e
1
, s
1
, ID
A
1
, ID
B
1
), (e
2
, s
2
, ID
A
2
, ID
B
2
)) to be
E
(e
1
, e
2
) if A
1
= A
2
,
B
1
= B
2
, Ver
VK
A
1
(e
1
[[ID
B
1
, s
1
) = succeed, and Ver
VK
A
2
(e
2
[[ID
B
2
, s
2
) =
succeed; or false otherwise. Note that
EtS
can be eciently evaluated
using only VK
A
1
and VK
A
2
, which are public.
Now we will show that cto
with non-
negligible probability. We convert this to an adversary /
E
which can break
the IND-CCA2 security of c with the same probability, in the same time,
and using the same number of oracle queries.
Let (EK
B
, DK
B
) be the key pair which /
E
is trying to attack. In the nd
stage, after being given EK
B
, /
E
does the following:
1. (SK
B
, VK
B
) Sig-KeyGen(1
k
)
2. (m
0
, m
1
, ID
A
, ) /
EtS
((VK
B
, EK
B
), nd)
3. Return (m
0
[[ID
A
, m
1
[[ID
A
, ).
In the guess stage, once given the target ciphertext e = Enc
EK
B
(m
b
[[ID
A
)
for b
R
0, 1, /
E
does the following:
1. s Sig
SK
A
(e[[ID
B
)
2. Return
b /
EtS
((e, s, ID
A
, ID
B
), , guess).
Note that /
EtS
may make queries to its de-signcryption oracle. To respond
to a query (e
, s
, ID
A
, ID
B
), /
E
does the following:
23
1. If Ver
VK
A
(e
[[ID
B
, s
) = fail return .
2. If
E
(e, e
) = true return .
3. m[[ID
A
Dec
DK
B
(e
)
4. If ID
A
= ID
A
return m else return .
Note that /
E
may perform step 3 using its decryption oracle, since step 2
guarantees that e
) =
true (and Ver
VK
A
(e
[[ID
B
, s
, s
, ID
A
, ID
B
)
for which Ver
VK
A
(e
[[ID
B
, s
) = succeed and
E
(e, e
too is an
encryption of m
b
[[ID
A
. Now there are two cases to consider. If ID
A
,= ID
A
then the last step of VerDec would return , just as step 2 above. If
ID
A
= ID
A
we quickly run into a contradiction. By the denition of s,
we have Ver
VK
A
(e[[ID
B
, s) = succeed. Since Ver
VK
A
(e
[[ID
B
, s
) = succeed
as well, we have
EtS
((e, s, ID
A
, ID
B
), (e
, s
, ID
A
, ID
B
)) =
E
(e, e
) = true.
But this contradicts the fact that /
EtS
does not query its de-signcryption
oracle with anything equivalent to the target ciphertext.
Authenticity: Suppose there is an adversary /
EtS
which can break
the UF-CMA security of cto
, ID
A
, ID
B
), /
S
does the following:
1. e
Enc
EK
B
(m
[[ID
A
)
2. s
Sig
SK
A
(e
[[ID
B
)
3. Return (e
, s
).
Note that /
S
may perform step 2 using its signing oracle. We must check,
however, that the message e[[ID
B
signed by /
S
is not equal to any of
24
the messages e
[[ID
B
passed to its signing oracle. Suppose otherwise, i.e.
ID
B
= ID
B
and e = e
(m[[ID
A
) for some m,
and e
= Enc
EK
B
(m
[[ID
A
) = Enc
EK
B
(m
[[ID
A
) for some m
. Then since
e = e
we have Enc
EK
B
(m[[ID
A
) = Enc
EK
B
(m
[[ID
A
), which implies that
m[[ID
A
= m
[[ID
A
, so m = m
is insider-
secure against IND-gCCA2 attacks on condentiality, and against UF-CMA
attacks on authenticity, in the multi-user setting.
Proof. Condentiality: Since we are dealing with IND-gCCA2 security,
we must rst deal with the issue of equivalence relations. Let
E
be the
relation with respect to which c is IND-CCA2-secure, and for otc
dene
StE
((u
1
, ID
A
1
, ID
B
1
), (u
2
, ID
A
2
, ID
B
2
)) to be
E
(u
1
, u
2
) if if A
1
= A
2
and
B
1
= B
2
, or false otherwise.
Now we will show that otc
with non-
negligible probability. We convert this to an adversary /
E
which can break
the IND-CCA2 security of c with the same probability, in the same time,
and using the same number of oracle queries.
Let (EK
B
, DK
B
) be the key pair which /
E
is trying to attack. In the nd
stage, after being given EK
B
, /
E
does the following:
1. (SK
B
, VK
B
) Sig-KeyGen(1
k
)
2. (m
0
, m
1
, ID
A
, ) /
EtS
((VK
B
, EK
B
), nd)
3. s
0
Sig
SK
A
(m
0
[[ID
B
)
4. s
1
Sig
SK
A
(m
1
[[ID
B
)
5. Return (m
0
[[s
0
[[ID
A
, m
1
[[s
1
[[ID
A
, ).
In the guess stage, once given the target ciphertext e = Enc
EK
B
(m
b
[[s
b
[[ID
A
)
for b
R
0, 1, /
E
does the following:
1. Return
b /
StE
((e, ID
A
, ID
B
), , guess).
Note that /
StE
may make queries to its de-signcryption oracle. To respond
to a query (e
, ID
A
, ID
B
), /
E
does the following:
1. If
E
(e, e
) = true return .
2. m[[s[[ID
A
Dec
DK
B
(e
)
25
3. If ID
A
,= ID
A
return .
4. If Ver
VK
A
(m[[ID
B
, s) = succeed return m else return .
Note that /
E
may perform step 2 using its decryption oracle, since step 1
guarantees that e
) =
true. Suppose then that /
StE
makes some oracle query (e
, ID
A
, ID
B
) for
which
E
(e, e
too is an encryption of m
b
[[s
b
[[ID
A
.
Now there are two cases to consider. If ID
A
,= ID
A
then step 2 of VerDec
would return , just as step 1 above. Otherwise ID
A
= ID
A
, and then
StE
((e, ID
A
, ID
B
), (e
, ID
A
, ID
B
)) =
E
(e, e
StE
does not query its de-signcryption oracle with anything
equivalent to the target ciphertext.
Authenticity: Suppose there is an adversary /
EtS
which can break
the UF-CMA security of cto
, ID
A
, ID
B
), /
S
does the following:
1. e
Enc
EK
B
(m
[[ID
A
)
2. s
Sig
SK
A
(e
[[ID
B
)
3. Return (e
, s
).
Note that /
S
may perform step 2 using its signing oracle. We must check,
however, that the message e[[ID
B
signed by /
S
is not equal to any of
the messages e
[[ID
B
passed to its signing oracle. Suppose otherwise, i.e.
ID
B
= ID
B
and e = e
(m[[ID
A
) for some m,
and e
= Enc
EK
B
(m
[[ID
A
) = Enc
EK
B
(m
[[ID
A
) for some m
. Then since
e = e
we have Enc
EK
B
(m[[ID
A
) = Enc
EK
B
(m
[[ID
A
), which implies that
m[[ID
A
= m
[[ID
A
, so m = m
versus otc
to 0, 1
l
for
some l. (The length parameter l need not be the same for G and H.)
They are assumed to behave like random oracles
1
for the purpose of
security proofs.
4.2 Zhengs Original Scheme
In 1997, Zheng eectively launched the study of signcryption by giving a
pair of signcryption schemes which are signicantly more ecient than otc
both in terms of computation and message expansion [15]. These schemes
have served as a template for several other signcryption schemes, including
those presented in this chapter.
Here we present the rst of Zhengs signcryption schemes. It is based
on a shortened version of the Digital Signature Standard known as SDSS1
(Shortened Digital Signature Standard). This signature scheme is dened
as follows:
Sig(m):
1
A random oracle is a theoretical model of a perfect cryptographic hash function.
Given a new input x {0, 1}
q
,
given g, g
a
, and g
b
, compute g
ab
.
Decisional Die-Hellman Problem (DDHP): For a, b, c Z
q
,
given g, g
a
, g
b
, and g
c
, decide whether c ab (mod q).
Gap Die-Hellman Problem (GDHP): Solve CDHP, given an
oracle to solve DDHP.
Note that the computational and decisional Die-Hellman problems have
been well studied, while less is known about the more recent gap Die-
Hellman problem, thus casting some doubt on security proofs based upon
32
it. Further details about the gap Die-Hellman problem can be found in
Okamoto and Pointcheval [9].
Now we return to the results of Baek et al. They prove that Zhengs
scheme provides condentiality in a sense slightly weaker than IND-CCA2-
security in the outsider model, under the assumption that the gap Die-
Hellman problem is hard. They show that it provides authenticity in a
sense slightly weaker than UF-CMA-security in the insider model, under the
assumption that the computational Die-Hellman problem is hard. In both
cases, the dierence between their model and the one presented here is that
the signcryption oracle is SigEnc(, ID
A
, ID
B
), rather than SigEnc(, ID
A
, ).
That is, the adversary does not get to choose the recipient when asking for
the signcryption of a message. (The de-signcryption oracle, however, is left
unchanged.)
4.3 Adding Non-Repudiation
Zhengs original scheme did provide a mechanism for non-repudiation. How-
ever, Petersen and Michels [11] showed that this mechanism compromises the
condentiality of the system. To overcome this problem, Bao and Deng [3]
modied Zhengs scheme, giving the following signcryption scheme
3
:
SigEnc(m, ID
A
, ID
B
):
* 1. x
R
[1, . . . , q 1]
* 2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
* 6. r H(k[[m[[y
A
[[y
B
)
* 7. s x/(r + x
A
) mod q
8. Return (c, r, s).
VerDec(c, r, s, ID
A
, ID
B
):
* 1. k (y
A
g
r
)
s
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
* 5. If r = H(k[[m[[y
A
[[y
B
) return m, else return .
3
In fact, Bao and Deng specied r H(m||yA||yB||k) in step 6, but we move k to the
beginning here to allow for SDSS1-veriability.
33
This scheme is very similar to Zhengs, except for the following changes:
1. The computations k g
x
mod p and k (y
A
g
r
)
s
mod p from the
original SDSS1 signature scheme are added back.
2. The computation r H(m[[y
A
[[y
B
[[K) is replaced by
r H(k[[m[[y
A
[[y
B
).
Thanks to these changes, the steps of SigEnc with asterisks (*) are precisely
the signature algorithm of SDSS1, when signing the message m[[y
A
[[y
B
.
Similarly, the steps of VerDec with asterisks are precisely the verication
algorithm of SDSS1, when verifying the same message. Thus to achieve non-
repudiation, the recipient of a message (c, r, s, ID
A
, ID
B
) can simply compute
m as in VerDec, and then send (m[[y
A
[[y
B
, r, s) to the verier, who then
veries that this is a valid SDSS1 signature using As public key. Thus this
is an SDSS1-veriable signature scheme.
In this scheme, signcryption requires two modular exponentiations, while
de-signcryption requires three. Thus most of the computational advantage
of Zhengs scheme over otc has been lost. However, the advantage in com-
munication overhead remains, since the overhead of Bao and Dengs scheme
is [ H()[ +[q[ bits, as with Zhengs scheme.
Note that this scheme provides insider security against UF-CMA attacks
as long as SDSS1 is UF-CMA-secure
4
. To see this, suppose there exists an
adversary / which can break its UF-CMA-security with non-negligible prob-
ability. Then we can construct an adversary /
does:
1. (c, r, s, ID
B
) /(y
A
)
2. m VerDec(c, r, s, ID
A
, ID
B
)
3. Return (m[[y
A
[[y
B
, r, s).
Note that /
as well.)
Unfortunately, this scheme does not provide IND-CCA2 security, since an
adversary can easily determine which of two messages m
0
, m
1
corresponds to
a challenge ciphertext (c, r, s, ID
A
, ID
B
) checking which of (m
0
[[y
A
[[y
B
, r, s)
or (m
1
[[y
A
[[y
B
, r, s) is a valid SDSS1 signature.
4
Zheng [15] claims that SDSS1 can be proven UF-CMA-secure by adapting the argument
of Pointcheval and Stern [13] for the Schnorr signature scheme.
34
4.4 A DSA-Veriable Scheme
Shin, Lee, and Shim [14] observed that Bao and Dengs method could be
used to construct signcryption schemes from an entire class of ElGamal-type
signature schemes; namely, those for which k = g
x
mod p can be computed
by the recipient of a signature, without knowing the message m. Suppose
that o is such a signature scheme. Then the corresponding o-veriable
signcryption scheme is:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. Compute As signature s Sig(m[[y
A
[[y
B
) using the values x
and k from above.
7. Return (c, s).
VerDec(c, s, ID
A
, ID
B
):
1. Compute k = g
x
mod p as specied by o.
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
5. Compute a Ver(m[[y
A
[[y
B
, s) using the value k = g
x
mod p
computed in step 1.
6. If a = succeed return m, otherwise return .
To achieve non-repudiation, the recipient of a message (c, s) simply computes
m as in VerDec, then sends (m[[y
A
[[y
B
, s) to the verier, who then veries
that this is a valid signature using o.
This indeed generalizes Bao and Dengs scheme, since their scheme re-
sults from applying the above construction to SDSS1.
One would like to apply this construction to the widely-used Digital
Signature Algorithm (DSA), which is dened as follows:
Sig(m):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. r k mod q
35
4. h H(m)
5. s (h + x
A
r)/x mod q
6. Return (m, r, s).
Ver(m, r, s):
1. h H(m)
2. e
1
h/s mod q
3. e
2
r/s mod q
4. k g
e
1
y
e
2
A
mod p
5. If r = k mod q return succeed, else return fail.
Unfortunately, DSA does not satisfy the requirement that k = g
x
mod p can
be computed without knowing the message m, so the construction cannot
be directly applied to DSA. However, Shin, Lee, and Shim were able to
overcome this problem by introducing a modied version of DSA called
MDSA:
Sig(m):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. r k mod q
4. h H(m)
5. s (h + x
A
r)/x mod q
6. e
1
h/s mod q
7. e
2
r/s mod q
8. Return (m, e
1
, e
2
).
Ver(m, e
1
, e
2
):
1. h H(m)
2. k g
e
1
y
e
2
A
mod p
3. r k mod q
4. s r/e
2
mod q
5. If e
1
s h mod q return succeed, else return fail.
MDSA is essentially the same as DSA, except that the computation of e
1
and
e
2
has been moved from Ver to Sig, and Ver has been adjusted accordingly.
36
Note that in step 2 the verier computes
k = g
e
1
y
e
2
A
mod p
= g
h/s
g
x
A
(r/s)
mod p
= g
(h+x
A
r)/s
mod p
= g
(h+x
A
r)/((h+x
A
r)/x)
mod p
= g
x
mod p
without using the message m. Thus the generalized construction of Bao and
Deng can be applied to MDSA.
Further, MDSA is strongly equivalent to DSA. By this, we mean that a
valid MDSA signature can be eciently converted to a valid DSA signature
and vice versa, without using the private key. The following is a restatement
of the theorem and proof given by Shin, Lee, and Shim [14], with missing
details lled in by the author.
Theorem 4.1. MDSA is strongly equivalent to DSA.
Proof. Suppose that (m, e
1
, e
2
) is a valid MDSA signature. That is, e
1
s h
(mod q), where s = ((g
e
1
y
e
2
A
mod p) mod q)/e
2
mod q and h = H(m). Then
(m, , ) is a valid DSA signature, where = (g
e
1
y
e
2
A
mod p) mod q and
= /e
2
mod q, since
e
1
s h (mod q)
e
1
(/e
2
) H(m) (mod q)
e
1
H(m) (mod q)
e
1
H(m)/ (mod q)
g
e
1
g
H(m)/
(mod p)
g
e
1
y
e
2
A
g
H(m)/
y
e
2
A
(mod p)
g
e
1
y
e
2
A
g
H(m)/
y
/
A
(mod p)
= (g
e
1
y
e
2
A
mod p) mod q = (g
H(m)/
y
/
A
mod p) mod q.
This last condition is precisely what DSAs verication algorithm checks to
determine whether (m, , ) is a valid signature.
Now suppose that (m, r, s) is a valid DSA signature. That is, r = (g
e
1
y
e
2
A
mod p) mod q, where e
1
= H(m)/s mod q and e
2
= r/s mod q. Then
(m, , ) is a valid MDSA signature, where = H(m)/s mod q and =
37
r/s mod q, since
r (g
e
1
y
e
2
A
mod p) (mod q)
r (g
A
mod p) (mod q)
(/) r (/) (g
A
mod p) (mod q)
H(m)/s
r/s
r ((g
A
mod p)/) (mod q)
H(m) = (((g
A
mod p) mod q)/ mod q) (mod q).
This last condition is precisely what MDSAs verication algorithm checks
to determine whether (m, , ) is a valid signature.
It is easy to see that if two signature schemes are strongly equivalent,
then they have the same security properties. Thus if DSA is UF-CMA-secure,
then so is MDSA. At present, it has not been proven that DSA is UF-CMA-
secure, but it is widely used in practise, and no signicant security aws are
known.
By applying the generalized technique of Bao and Deng to MDSA, we get
an MDSA-veriable signcryption scheme. Then using the strong equivalence
of MDSA and DSA, we can easily modify the non-repudiation procedure to
get the following DSA-veriable signcryption scheme:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. r k mod q
7. h H(m[[y
A
[[y
B
)
8. s (h + x
A
r)/x mod q
9. e
1
h/s mod q
10. e
2
r/s mod q
11. Return (c, e
1
, e
2
).
VerDec(c, e
1
, e
2
, ID
A
, ID
B
):
1. k g
e
1
y
e
2
A
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
38
4. m D
Kenc
(c)
5. h H(m[[y
A
[[y
B
)
6. r k mod q
7. s r/e
2
mod q
8. If e
1
s h mod q return m, else return .
To achieve non-repudiation, the recipient sends (m[[y
A
[[y
B
, r, s) to the ver-
ier, where m, r, and s are the values computed in VerDec. If (c, e
1
, e
2
,
ID
A
, ID
B
) is a valid signcryption, then (m[[y
A
[[y
B
, e
1
, e
2
) is a valid MDSA
signature, and thus (m[[y
A
[[y
B
, r, s) is a valid DSA signature, as shown in
Theorem 4.1.
Unfortunately, this scheme does not provide IND-CCA2 security. As with
Bao and Dengs scheme, an adversary can easily determine which of two
messages m
0
, m
1
corresponds to a challenge ciphertext (c, e
1
, e
2
, ID
A
, ID
B
)
checking which of (m
0
[[y
A
[[y
B
, e
1
, e
2
) or (m
1
[[y
A
[[y
B
, e
1
, e
2
) is a valid MDSA
signature. To solve this problem, Shin, Lee, and Shim propose a slightly
modied version of the scheme called SC-DSA+. It is dened as follows:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. r k mod q
7. h H(m[[y
A
[[y
B
[[K)
8. s (h + x
A
r)/x mod q
9. e
1
h/s mod q
10. e
2
r/s mod q
11. Return (c, e
1
, e
2
).
VerDec(c, e
1
, e
2
, ID
A
, ID
B
):
1. k g
e
1
y
e
2
A
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
5. r k mod q
6. s r/e
2
mod q
7. h H(m[[y
A
[[y
B
[[K)
39
8. If e
1
s h mod q return m else return .
To achieve non-repudiation, the recipient of a message simply computes
m, r, s, and K as in VerDec, and sends (m[[y
A
[[y
B
[[K, r, s) to the verier,
who then veries that this is a valid DSA signature using As public key.
This scheme is precisely the same as the previous one, except that the
step h H(m[[y
A
[[y
B
) has been changed to h H(m[[y
A
[[y
B
[[K). This
prevents the previous simple attack on IND-CCA2 security, since an outsider
adversary cannot eciently compute the value K.
As with Bao and Dengs scheme in Section 4.3, it is straightforward
that SC-DSA+ is UF-CMA-secure in the insider model as long as MDSA (or
equivalently, DSA) is UF-CMA-secure. The proof of condentiality for SC-
DSA+ is simply an adaptation of the proof for Zhengs original scheme, and
uses the same security model. That is, SC-DSA+ provides condentiality
in a sense slightly weaker than IND-CCA2-security in the outsider model.
Note that this scheme provides past recovery, since the sender of a mes-
sage (c, e
1
, e
2
, ID
A
, ID
B
) can compute:
1. k g
e
1
y
e
2
A
mod p
2. r k mod q
3. s r/e
2
mod q
4. h e
1
s mod q
5. x (h + x
A
r)/s mod q
6. K y
x
B
mod p
7. K
enc
G(K)
8. m D
Kenc
(c).
40
Chapter 5
Signcryption from Trapdoor
Permutations
5.1 Trapdoor Permutation Families
Trapdoor permutations are an important building block of public-key cryp-
tography. A trapdoor permutation is simply a permutation f : S S on
some nite set S, which can be eciently evaluated by anyone, but whose
inverse permutation f
1
: S S can only be eciently evaluated by using
some secret trapdoor information.
5.1.1 Syntax
More formally, we dene a trapdoor permutation family as a triple of algo-
rithms (Trap-Gen, Eval, Invert):
Trap-Gen is a randomized algorithm which accepts 1
k
, where k is a
security parameter, and outputs a pair (f, f
1
), where f is a per-
mutation over some set S and f
1
is its inverse permutation. This
operation is denoted by (f, f
1
) Trap-Gen(1
k
).
Eval is a deterministic algorithm which accepts a permutation f gen-
erated by Trap-Gen, as well as some x S, where S is the set over
which f is dened. It outputs some y S. This operation is denoted
by y Eval(f, x), or simply y f(x).
Invert is a deterministic algorithm which accepts some f
1
generated
by Trap-Gen and some y S, where S is the set over which f is
41
dened. It outputs some x S. This operation is denoted by x
Invert(f
1
, y), or simply x f
1
(y).
We require that f
1
(f(x)) = x for all x, and for all pairs (f, f
1
) generated
by Trap-Gen. This ensures both that f is a permutation, and that f
1
is
the inverse permutation of f.
5.1.2 Security
As was the case for encryption, signature, and signcryption schemes, we
dene the security of a trapdoor permutation family in terms of the goal
and capabilities of an adversary.
We will take the goal of the adversary to be inverting a randomly chosen
element. To achieve this goal, the adversary / must win the following game:
1. (f, f
1
) Trap-Gen(1
k
)
2. y
R
S (where S is the set over which f is dened)
3. x /(f, y).
/ wins in the case that x = f
1
(y). As for the capabilities of the adversary,
we only give it access to the permutation f. We require that a trapdoor
permutation family satisfy Pr[/ wins] < negl(k) for any such adversary /.
Note that we have chosen a particularly strong goal for the adversary, and
given it particularly weak capabilities. (A weaker goal would, for example,
be one which required / to determine only some information about x from
y. Stronger capabilities could include access to an oracle for f
1
.) This
means that the security level provided by a trapdoor permutation family is
quite weak. However, it is still possible to build strongly secure encryption
and signature schemes from trapdoor permutation families. As we will see in
this chapter, it is also possible to build strongly secure signcryption schemes
from them. Thus their weak notion of security is an advantage, making
them easier to construct and analyze.
5.1.3 Examples
The most commonly used trapdoor permutation family is RSA, which is
dened as follows:
Trap-Gen(1
k
):
1. Choose two random k-bit primes, p and q.
2. n p q
42
3. (n) (p 1) (q 1)
4. Choose e such that 1 < e < (n) and e is coprime to (n).
5. Compute d such that 1 < d < (n) and d e 1 (mod (n)).
6. Return ((e, n), (d, n)).
Eval((e, n), x):
1. Return y x
e
mod n.
Invert((d, n), y):
1. Return x y
d
mod n.
Note that it is not yet known whether RSA is in fact a trapdoor permutation
family, because it has not been proven to satisfy the security requirement
dened above, even under the well-accepted assumption that factoring n
is intractable. However, there are other families which have been proven
secure, such as that of Paillier [10], which has been shown to be secure
under the assumption that factoring is hard.
5.2 Cryptography from Trapdoor Permutations
Originally, trapdoor permutations were used directly as encryption and sig-
nature schemes. For example, to encrypt a message m for a recipient B,
one would simply compute c = f
B
(m), where f
B
is Bs trapdoor function.
Of course, the recipient would then compute m = f
1
B
(c) using his secret
trapdoor information. Unfortunately, this simple scheme does not provide
indistinguishability, since anyone can distinguish between f(m
0
) and f(m
1
),
for any m
0
and m
1
. Similarly, to sign a message m, a sender A would sim-
ply compute s = f
1
A
(m), and then anyone could verify that f
A
(s) = m.
However, this does not provide unforgeability, since any user can compute
valid message/signature pairs (f
A
(s
), s
) for any s
.
The solution to both of these problems is to rst apply a padding function
to the message, then apply the trapdoor permutation to some or all of the
padded message. Thus a trapdoor-based encryption scheme typically looks
like:
Enc-KeyGen(1
k
) :
1. (f, f
1
) Trap-Gen(1
k
)
2. Return (f, f
1
).
Enc(m):
1. m
Enc-Pad(m)
43
2. Return c f
B
(m
).
Dec(c):
1. m
f
1
B
(c)
2. Return m Enc-Depad(m
).
Likewise, a trapdoor-based signature scheme typically looks like:
KeyGen(1
k
) :
1. (g, g
1
) Trap-Gen(1
k
)
2. Return (g
1
, g).
Sig(m):
1. m
Sig-Pad(m)
2. s g
1
A
(m
)
3. Return (m, s).
Ver(m, s):
1. m
Sig-Pad(m)
2. m
g
A
(s)
3. If m
= m
and
cto
:
KeyGen(1
k
) :
1. (f, f
1
) Enc-KeyGen(1
k
)
2. (g
1
, g) Sig-KeyGen(1
k
)
3. Return ((g
1
, f
1
), (g, f)).
SigEnc(m, ID
A
, ID
B
):
1. m
Sig-Pad(m[[ID
B
)
2. s g
1
A
(m
)
3. s
Enc-Pad(m[[s[[ID
A
)
4. u f
B
(s
)
5. Return (u, ID
A
, ID
B
).
This scheme has the following drawbacks:
44
Each user must maintain two distinct trapdoor permutations: one for
encrypting (f), and one for signing (g).
Two padding steps are required; one for encryption, and one for sig-
nature. Since padding steps generally lengthen their inputs, this un-
necessarily lengthens the input to the second trapdoor permutation,
as well as the nal ciphertext output.
The identity of the recipient is appended before signing, and the iden-
tity of the sender is appended before encrypting. This unnecessarily
lengthens the inputs to the trapdoor permutations, as well as the nal
ciphertext output.
Dodis, Freedman, Jarecki, and Walsh [5] have proposed a series of
trapdoor-based signcryption schemes which addresses all three of these prob-
lems. Their schemes require each user to maintain only a single trapdoor
permutation, which is used to achieve both condentiality and authenticity.
Only a single padding step is required, which is applied just before the trap-
door permutations of the sender and recipient. The identities of the sender
and recipient are fed in as inputs to the padding step, but do not lengthen
its output. Abstractly, their schemes all have the following pattern:
KeyGen(1
k
):
1. (f, f
1
) Trap-Gen(1
k
)
2. Return (f
1
, f).
SigEnc(m, ID
A
, ID
B
):
1. m
Pad(m, ID
A
, ID
B
)
2. Apply f
B
and f
1
A
to m
, to get u.
3. Return u.
VerDec(u, ID
A
, ID
B
):
1. Apply f
1
B
and f
A
to u, to get m
.
2. m Depad(m
, ID
A
, ID
B
).
3. Return m.
The trapdoor functions f
A
and f
B
are each dened over the set 0, 1
l
for
some l. (Most often both f
A
and f
B
will use the same value of l.)
First we consider step 2 of the signcryption function, where the trapdoor
permutations are applied. Since two trapdoor permutations are involved,
there are several ways in which they can be applied. Dodis et al. [5] consider
the following three ways, which they call modes of operation. Each of them
considers m
= (w[[s).
45
Parallel mode: u f
B
(w)[[f
1
A
(s). This mode has the advantage that
the two trapdoor permutations can be applied in parallel, but the
disadvantage that the minimum ciphertext length is twice the output
size of the trapdoor permutations. A further advantage is that f
A
and
f
B
can be of dierent lengths.
Sequential mode: u f
B
(f
1
A
(w[[s)). In this case, the trapdoor per-
mutations must be applied sequentially, but the minimum ciphertext
length is half that of the parallel method.
Extended sequential mode: u f
B
(f
1
A
(w))[[s. This mode is a slight
modication of the sequential mode. Its minimum ciphertext length
is only slightly longer than that of the sequential method (since s can
be chosen to be very short), while it admits a much tighter security
proof.
Next we turn our attention to the padding step of the signcryption func-
tion. As it turns out, there is a single padding scheme which can be used
with all three of the above modes (parallel, sequential, and extended sequen-
tial) by simply adjusting some parameters. It is the second of two so-called
Probabilistic Signature and Encryption Paddings given by Dodis et al. [5],
and thus called PSEP2. It is dened as follows:
Pad(m, ID
A
, ID
B
):
1. (m
1
[[m
2
) m
2. r
R
0, 1
|d||m
2
|
3. c (m
1
K(r)) [[ K
(m
2
[[r)
4. d (m
2
[[r)
5. w d G(ID
A
[[ID
B
[[c)
6. s c H(w)
7. Return (w, s).
Depad(w, s, ID
A
, ID
B
):
1. c s H(w)
2. d w G(ID
A
[[ID
B
[[c)
3. (m
2
[[r) d
4. ([[) c
5. If = K
(m
2
[[r) continue, else return .
6. m
1
K(r)
7. Return m (m
1
[[m
2
).
46
Note that steps 2 through 4 of the padding operation (and steps 3 through 6
of the de-padding operation) constitute a commitment scheme, while steps
5 and 6 of the padding operation (and steps 1 and 2 of the de-padding
operation) are simply two rounds of a Feistel Transform applied to (d, c)
with round functions G(ID
A
[[ID
B
[[c) and H(w).
The parameters which may be adjusted are [m
1
[, [m
2
[, [c[, and [d[. These
must be adjusted in accordance with the level of security desired, the lengths
of f
A
and f
B
, and the mode of operation being used.
Note that PSEP2 is only able to handle messages of length up to [m
1
[ +
[m
2
[, which is typically a small value. In some applications, such as key
transport, this may not be a problem. However, in other applications such
as email, messages of arbitrary length must be handled. Dodis et al. [5] have
provided a simple solution to this problem. They propose using a private
key encryption scheme (E, D) to encrypt the message m under a randomly-
chosen key K
enc
, then signcrypting K
enc
as before. One small modication
is necessary; namely, to prevent the ciphertext from tampering we include
it in the hash computation in step 5 of the padding operation and step 2 of
the de-padding operation. This gives the following signcryption scheme:
SigEnc(m, ID
A
, ID
B
):
1. Choose a symmetric encryption key K
enc
at random.
2. c
E
Kenc
(m)
3. (m
1
[[m
2
) K
enc
4. r
R
0, 1
|d||m
2
|
5. c (m
1
K(r)) [[ K
(m
2
[[r)
6. d (m
2
[[r)
7. w d G(c
[[ID
A
[[ID
B
[[c)
8. s c H(w)
9. Apply f
B
and f
1
A
to (w, s) to get u.
10. Return (c
, u).
VerDec(c
, u, ID
A
, ID
B
):
1. Apply f
1
B
and f
A
to u to get (w, s).
2. c s H(w)
3. d w G(c
[[ID
A
[[ID
B
[[c)
4. (m
2
[[r) d
5. ([[) c
6. If = K
(m
2
[[r) continue, else return .
7. m
1
K(r)
47
8. K
enc
(m
1
[[m
2
)
9. Return m D
Kenc
(c
).
In fact, this denes three dierent signcryption schemes, since the mode of
operation (parallel, sequential, or extended sequential) is not specied.
5.3 Properties of PSEP2
PSEP2 has several advantages over other signcryption schemes we have seen
so far. First of all, it provides the highest possible levels of security, namely
IND-CCA2 and sUF-CMA in the insider security model.
Another advantage is that PSEP2 can be used as a plain encryption
or signature scheme. By replacing f
A
with the identity permutation, it
becomes an IND-CCA2-secure encryption scheme, and by replacing f
B
with
the identity permutation, it becomes an sUF-CMA-secure signature scheme.
Here we will call these schemes PSEP2-ENC and PSEP2-SIG, respectively.
Dodis et al. [5] did not explicitly consider non-repudiation, but it turns
out that we can easily add it to PSEP2. To see this, consider the three
possible trapdoor steps:
u f
B
(w)[[f
1
A
(s) (Parallel mode)
u f
B
(f
1
A
(w[[s) (Sequential mode)
u f
B
(f
1
A
(w))[[s (Extended sequential mode)
Note that in each case, the recipient can apply f
1
B
to the appropriate part
of the ciphertext, thereby replacing f
B
with the identity permutation and
giving a valid PSEP2-SIG signature. That is, PSEP2 is a PSEP2-SIG-
veriable signcryption scheme, and thus provides non-repudiation.
Note that PSEP2 does not provide a signicant computational advantage
over trapdoor-based otc
(or cto
.
With respect to communication overhead, there is a bit more room for
improvement. This is because the ciphertext is lengthened not only by the
signature and encryption steps, but also by the senders identity, which is
appended before encryption. If the identity is hashed to minimize its length,
then we have
Cost(Encryption), Cost(Signature) Cost(Signcryption)
Cost(Encryption) + Cost(Signature) +[ H()[.
Here we can assume that [ H()[ is less than the overhead introduced by the
encryption and signature steps, so we certainly cannot expect more than a
three-fold improvement in communication overhead over otc
.
6.2 Comparison Charts
Now we turn our attention to those features which can be more easily com-
pared. In Table 6.1 we look at the levels of security provided by each of
the proposed signcryption schemes. In the table, the less-than symbol (<)
indicates that a slightly weaker security level is achieved, as explained in
Section 4.2. Question marks (???) indicate that the problem has not been
explicitly considered (although in these cases it is known that indistinguisha-
bility is not provided), while a dash () indicates that no security is pro-
vided.
Here PSEP2 is the clear winner, with all three of its modes of operation
providing a better level of security than even cto
and otc
and
otc
provide quite good security, but only if the underlying encryption and
signature schemes do as well. Bao and Dengs scheme and SC-DSA+ are in
a similar situation, since their UF-CMA security depends on the unproven
assumption that DSA is UF-CMA-secure.
51
Outsider Security Insider Security
Conf. Auth. Conf. Auth.
cto
Forward Secrecy
c&o Yes Yes, any Forward Secrecy SC
Zheng Past Recovery
Bao & Deng Yes Past Recovery SC
SC-DSA+ Yes Yes, DSA Past Recovery SC
PSEP2 (P) Yes Yes, PSEP2-SIG Forward Secrecy SC, DSC
PSEP2 (S) Yes Yes, PSEP2-SIG Forward Secrecy
PSEP2 (X) Yes Yes, PSEP2-SIG Forward Secrecy
Table 6.2: Feature Comparison
In Table 6.2 we look at which properties are oered by each of the
signcryption schemes. The rst column indicates whether a secure non-
repudiation mechanism is available. The second column indicates whether
the signcryption scheme is o-veriable, and if so, for which signature scheme.
The third column indicates which of forward secrecy or past recovery is
provided. The last column indicates whether the signcryption (SC) or de-
signcryption (DSC) steps can be parallelized. The letters (P, S, X) beside
PSEP2 indicate the mode of operation (parallel, sequential, extended se-
quential).
Once again, PSEP2 compares very favourably to the others, especially its
parallel mode of operation. Its only disadvantage is that its non-repudiation
mechanism involves a non-standard signature scheme (PSEP2-SIG). otc
is
52
also a good choice in cases where parallelization is not important. It has
a very simple and o-veriable non-repudiation mechanism. In cases where
past recovery is required, then clearly SC-DSA+ is the best choice.
53
Chapter 7
Conclusions
7.1 Lessons Learned
Although Zheng originally set out to achieve greater eciency by combining
encryption and signature schemes, the focus has subsequently shifted to
other issues, such as security and non-repudiation. The issue of security
is of key importance, since it has implications for all systems which use
encryption and signatures together. There are many such systems in use
today, and it would be worthwhile to reconsider them in terms of the security
model for signcryption.
The security model has taught us what is perhaps the most important
lesson to be learned from signcryption, namely that simply composing two
cryptographic primitives (in this case, encryption and signature schemes)
does not necessarily result in something which satises the security prop-
erties of both. It was only after dening an appropriate security model
that we were able to pinpoint and correct the defects of the widely-used
sign-then-encrypt paradigm.
7.2 Directions for Future Research
Ultimately, one would like to have a signcryption scheme which simultane-
ously
provides IND-CCA2 and sUF-CMA security in the insider model;
has computational and communication overhead not signicantly
greater than a conventional encryption or signature scheme;
55
has key sizes not signicantly greater than a conventional encryption
or signature scheme;
allows each user to choose his key size independently;
provides a secure non-repudiation mechanism, preferably via a widely-
used signature scheme;
allows for signicant parallelization in both the signcryption and de-
signcryption steps; and
provides ecient encrypt-only and sign-only modes.
Of all the signcryption schemes presented here, none of them are able to
achieve all of these goals. PSEP2 (in its parallel mode) comes the closest, but
it is suboptimal with respect to computational overhead, and provides non-
repudiation only via its own special-purpose signature scheme. There is still
plenty of room for improvement on the way to a truly optimal signcryption
scheme.
Another area worthy of exploration is the use of the signcryption prim-
itive in cryptographic protocols. The signcryption primitive is a powerful
abstraction, since it encompasses not only condentiality and authenticity,
but also user identities (via its multi-user security denition). As mentioned
in the introduction, this has allowed for the construction of a very simple au-
thenticated key-exchange protocol. Undoubtedly there are other protocols
which could be similarly simplied using signcryption.
56
Bibliography
[1] Jee Hea An, Yevgeniy Dodis, and Tal Rabin. On the security of joint sig-
nature and encryption. In L.R. Knudsen, editor, Proc. of Eurocrypt 02,
volume 2332 of LNCS, pages 83107. Springer-Verlag, 2002. Updated
version available at: http://theory.lcs.mit.edu/
yevgen/ps/signcrypt.
ps.
[2] Joonsang Baek, Ron Steinfeld, and Yuliang Zheng. Formal proofs for
the security of signcryption. In D. Naccache and P. Paillier, editors,
Proc. of PKC 02, volume 2274 of LNCS, pages 8098. Springer-Verlag,
2002.
[3] Feng Bao and Robert H. Deng. A signcryption scheme with signature
directly veriable by public key. In H. Imai and Y. Zheng, editors, Proc.
of PKC 98, volume 1431 of LNCS, pages 5559. Springer-Verlag, 1998.
[4] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A
paradigm for designing ecient protocols. In Proc. of First ACM Con-
ference on Computer and Communications Security, pages 6273. ACM
Press, 1993.
[5] Yevgeniy Dodis, Michael J. Freedman, Stanislaw Jarecki, and Shabsi
Walsh. Optimal signcryption from any trapdoor permutation, 2004.
Cryptology ePrint Archive, Report 2004/020. http://eprint.iacr.org/
2004/020/.
[6] Hugo Krawczyk and Tal Rabin. Chameleon signatures. In Proc. of
NDSS 00, pages 143154, 2000.
[7] John Malone-Lee. Identity based signcryption, 2002. Cryptology ePrint
Archive, Report 2002/098. http://eprint.iacr.org/2002/098/.
[8] Alfred Menezes and Nigel Smart. Security of signature schemes in a
multi-user setting. In Dieter Jungnickel, Jennifer Key, and Peter Wild,
57
editors, Designs, Codes and Cryptography, volume 33, pages 261274.
Kluwer Academic Publishers, 2004.
[9] Tatsuaki Okamoto and David Pointcheval. The gap-problems: A
new class of problems for the security of cryptographic schemes. In
K. Kim, editor, Proc. of PKC 01, volume 1992 of LNCS, pages 104
118. Springer-Verlag, 2001.
[10] Pascal Paillier. A trapdoor permutation equivalent to factoring. In
H. Imai and Y. Zheng, editors, Proc. of PKC 99, volume 1560 of LNCS,
pages 219222. Springer-Verlag, 1999.
[11] H. Petersen and M. Michels. Cryptanalysis and improvement of sign-
cryption schemes. In IEE Proceedings Computers and Digital Tech-
niques, volume 145, pages 149151. 1998.
[12] Josef Pieprzyk and David Pointcheval. Parallel authentication and
public-key encryption. In R. Safavi-Naini and J. Seberry, editors, Proc.
of ACISP 03, volume 2727 of LNCS, pages 387401. Springer-Verlag,
2003.
[13] David Pointcheval and Jacques Stern. Security proofs for signature
schemes. In U. Maurer, editor, Proc. of Eurocrypt 96, volume 1070 of
LNCS, pages 387398. Springer-Verlag, 1996.
[14] Jun-Bum Shin, Kwangsu Lee, and Kyungah Shim. New DSA-veriable
signcryption schemes. In P.J. Lee and C.H. Lim, editors, Proc. of ICISC
02, volume 2587 of LNCS, pages 3547. Springer-Verlag, 2002.
[15] Yuliang Zheng. Digital signcryption or how to achieve cost(signature
& encryption) cost(signature) + cost(encryption). In B.S. Kaliski
Jr., editor, Proc. of Crypto 97, volume 1294 of LNCS, pages 165179.
Springer-Verlag, 1997.
58