Confidential Signatures and Deterministic Signcryption
Lecture Notes in Computer Science
Encrypt-and-sign, where one encrypts and signs a message in parallel, is usually not recommended for confidential message transmission. The reason is that the signature typically leaks information about the message. This motivates our investigation of confidential signature schemes, which hide all information about (high-entropy) input messages. In this work we provide a formal treatment of confidentiality for such schemes and a comprehensive discussion of the relationship of different notions
... e propose. We give constructions meeting our notions, both in the random oracle model and the standard model. As part of this we show that full domain hash signatures achieve a weaker level of confidentiality than Fiat-Shamir signatures. We then revisit the connection of confidential signatures to signcryption schemes. We give formal security models for deterministic signcryption schemes for high-entropy and low-entropy messages, and prove encrypt-and-sign to be secure for confidential signature schemes and high-entropy messages. Finally, we show that one can derandomize any signcryption scheme in our model and obtain a secure deterministic scheme. Introduction A common mistake amongst novice cryptographers is to assume that digital signature schemes provide some kind of confidentiality service to the message being signed. The (faulty) argument in support of this statement is (a) that all signature schemes are of the "hash-and-sign" variety, which apply a hash function to a message before applying any kind of keyed operation, and (b) that a one-way hash function will hide all partial information about a message. Both facets of this argument are incorrect. However, it does suggest that notions of confidentiality for signature schemes are an interesting avenue of research. The question of confidentiality of hash functions in signature schemes was previously considered by Canetti  as "content-concealing signatures"; however the original treatment is naïve and serves only to motivate the concept of perfect one-way hash functions [7, 8] . We provide a more formal treatment here. The question of entropic security has also been consider by several other authors. Dodis and Smith studied entropic secure primitives requiring that no function leaks whatsoever their input  . Russell and Wang  consider the security of symmetric encryption schemes based on high-entropy messages; whereas several authors have considered the security of asymmetric encryption schemes based on high-entropy messages [3, 4, 6] . However, we are the first authors to consider the confidentiality of signatures and signcryption schemes with respect to high entropy messages. Defining Confidential Signatures. Our first contribution is to define confidential signatures. Our starting point are high-entropy messages (signatures for messages with low entropy inevitably leak through the verification algorithm of the signature scheme). Our definitions are based on previous efforts for highly-entropic, deterministic public-key encryption  , and yield three versions of confidential signature schemes: -Weak confidentiality means that no information is leaked to a passive adversary, except possibly for information related to the technical details of the signature scheme. -Mezzo confidentiality means that no information is leaked to a passive adversary (in possession of the verification key). Note that this is in contrast to deterministic public-key encryption where information cannot be hidden in such circumstances  .