TY - GEN
T1 - On the security of joint signature and encryption
AU - An, Jee Hea
AU - Dodis, Yevgeniy
AU - Rabin, Tal
N1 - Publisher Copyright:
© Springer-Verlag Berlin Heidelberg 2002.
PY - 2002
Y1 - 2002
N2 - We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthen- sign” (ɛtS) and “sign-then-encrypt” (ɛtS) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call “commit-thenencrypt- and-sign” (Ctɛ&S). Unlike the generic sequential composition methods, Ctɛ&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the Stɛ and ɛtS schemes. We also show that the new Ctɛ&S method elegantly combines with the recent “hash-sign-switch” technique of [30], leading to efficient on-line/off-line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-security (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering fromthe definitional shortcomings of the latter.
AB - We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthen- sign” (ɛtS) and “sign-then-encrypt” (ɛtS) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call “commit-thenencrypt- and-sign” (Ctɛ&S). Unlike the generic sequential composition methods, Ctɛ&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the Stɛ and ɛtS schemes. We also show that the new Ctɛ&S method elegantly combines with the recent “hash-sign-switch” technique of [30], leading to efficient on-line/off-line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-security (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering fromthe definitional shortcomings of the latter.
UR - http://www.scopus.com/inward/record.url?scp=84947237328&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84947237328&partnerID=8YFLogxK
U2 - 10.1007/3-540-46035-7_6
DO - 10.1007/3-540-46035-7_6
M3 - Conference contribution
AN - SCOPUS:84947237328
SN - 9783540435532
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 83
EP - 107
BT - Advances in Cryptology - EUROCRYPT 2002 - International Conference on the Theory and Applications of Cryptographic Techniques, 2002, Proceedings
A2 - Knudsen, Lars R.
PB - Springer Verlag
T2 - International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2002
Y2 - 28 April 2002 through 2 May 2002
ER -