On the Security of Joint Signature and Encryption [chapter]

Jee Hea An, Yevgeniy Dodis, Tal Rabin
2002 Lecture Notes in Computer Science  
We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35] . We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22]
more » ... ht lead one to expect, we show that classical "encryptthen-sign" (EtS) and "sign-then-encrypt" (StE) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call "commit-thenencrypt-and-sign" (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent "hash-sign-switch" technique of [30], leading to efficient on-line/off-line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-security (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering from the definitional shortcomings of the latter.
doi:10.1007/3-540-46035-7_6 fatcat:qiv7dnmeqjbjteuhvt6qbbqtje