Signcryption aims to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The “Commit-then-Sign & Encrypt” (CtS&E) method allows to perform encryption and signing in parallel. Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt messages. CtS&E uses weaker cryptographic primitives in a generic way to achieve a strong security notion of signcryption. Various message pre-processing schemes, also known as message padding, have been used in signcryption as a commitment scheme in CtS&E. Due to its elegance and versatility, the sponge structure turns out to be a useful tool for designing new padding schemes such as SpAEP [T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015, Lecture Notes in Comput. Sci. 9144, Springer, Berlin 2015, 93–106], while offering further avenues for optimization and parallelism in the context of signcryption. In this work, we design a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure. Unlike other existing schemes, the proposed scheme also supports arbitrarily long messages. We prove the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature. With a careful analysis and simple tweaks, we demonstrate how different combinations of weakly secure probabilistic and deterministic encryption and signature schemes can be used to construct a strongly secure signcryption scheme, further broadening the choices of underlying primitives to cover essentially any combination thereof. To the best of our knowledge, this is the first signcryption scheme based on the sponge structure that also offers strong security using weakly secure underlying asymmetric primitives, even deterministic ones, along with the ability to handle long messages, efficiently.
The aim of signcryption is to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The reduction of the computational cost makes signcryption more practical and it is a preferred option for e-commerce and e-mail applications, where both confidentiality and authentication are required. Zheng  introduced the signcryption notion in 1997. He proposes a signcryption solution that is based on the El-Gamal  encryption and signature, leaving the design of generic signcryption schemes as an open problem, which has since then received considerable attention.
The study of generic compositions of encryption and signature has been initiated by An, Dodis and Rabin . They considered different methods for designing signcryption through a black-box composition of secure signature and public-key encryption. In particular, they showed that both “encrypt-then-sign” (EtS) and “sign-then-encrypt” (StE) lead to secure signcryption schemes. However, the parallel signcryption approach “sign-and-encrypt” (S&E) composition does not provide privacy since the signature may reveal information about the encrypted messages. They introduced an alternative generic method termed “commit-then-sign-and-encrypt” (CtS&E) that provides some security guarantee for S&E. Note that CtS&E compositions lead to parallel signcryption.
An, Dodis and Rabin  also define two types of security for signcryption, namely, outsider and insider security. The outsider security deals with an external adversary who knows the public keys of a sender and a receiver. The insider security model attacks are coming from the other party that participates in the communication. In other words, an insider adversary is either the sender who wants to compromise receiver confidentiality or the receiver who tries to defeat sender unforgeability. Since security against an insider adversary implies security against an outsider adversary, the former is preferred.
A different security model for signcryption, which has been adopted in a few early papers [2, 20], is the two-user setting. In this model, a single sender interacts with a single receiver. However, as pointed out by Dent , security in the two-user model does not imply security in the multi-user model, in which either several senders communicate with the same receiver or, alternatively, several receivers obtain messages from a single sender. Hence, to ensure a realistic security concept, a multi-user security model must be adopted. The strongest security definitions, which captures both insider confidentiality and unforgeability for the multi-user setting, have been defined in . For an overview of different security models, see [31, 21]. A recent paper by Badertsche, Banfi and Maurer  also supports the need for an insider secure multi-user model for signcryption.
In 2002, An, Dodis and Rabin  presented a methodology for parallel encryption and signing. A plaintext m is first transformed into a pair , where c is a commitment and d is a de-commitment. The value c reveals no information about m, while the pair allows to recover m. Once the transformation is done, the sender signs c and encrypts d in parallel using appropriate encryption and signature algorithms. On the receiver side, the signature on c is verified and d is recovered from its ciphertext. Both operations are executed in parallel. Finally, the plaintext m is reconstructed from . Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt a message. It is equal to the maximum of either the time required to encrypt or the time needed to sign. Minimum security requirements required from underlying encryption and signature algorithms are also discussed. In the two-user model, An, Dodis and Rabin  claim that to provide a generic chosen-ciphertext (IND-gCCA) secure and existentially unforgeable (UF-CMA) signcryption, it is enough to use any IND-CCA secure encryption, UF-CMA secure signature and a secure commitment under the CtS&E composition. The IND-gCCA security is weaker than IND-CCA.
The work by An, Dodis and Rabin  has instigated investigation into new ways to define signcryption in more generic ways. Note that early works present signcryption whose security depends on intractable problems such as discrete logarithm  and integer factoring [36, 30]. The authors of earlier works left an open question of designing signcryption under weaker security assumptions for encryption and signature schemes that do not relate to any specific intractability assumption. For example, the generic trapdoor one-wayness (OW) assumption is satisfied by the RSA encryption (when integer factorization is intractable) and the ElGamal encryption (when the computational Diffie–Hellman (CDH) problem is intractable). In this paper, we consider cryptographic primitives (encryption and signature), whose security assumptions are generic.
Parallel signcryption is further investigated by Pieprzyk and Pointcheval . They proposed to use a -Shamir secret sharing (SSS) as a commitment scheme. A plaintext m is first split into two shares , where any single share reveals no information about m. The first share is used as a commitment and signed, while the second is encrypted. The authors of  proposed two version of their scheme. The first version, called generic parallel signcryption, provides IND-CCA and UF-CMA security for signcryption using any IND-CCA secure encryption and UF-CMA secure signature. This result is the same as the one obtained in . The second version, called optimal parallel signcryption, applies an asymmetric padding OAEP  as commitment scheme. This signcryption algorithm provides both IND-CCA and UF-CMA security in the random oracle (RO) model assuming any deterministic OW encryption (such as basic RSA) and any weakly secure deterministic signature (non-universally forgeable). The authors discuss the security of their schemes for the insider security model in a multi-user setting .
Dodis et al. [23, 22] propose a different approach to perform parallel signcryption. In their approach, they use a Feistel probabilistic padding, which can be viewed as a generalization of other existing probabilistic paddings such as OAEP , OAEP+ , PSS-R , etc. The authors argue that their signcryption provides IND-CCA and strong existential unforgeability (sUF-CMA) security assuming trapdoor one-way permutations only.
Hybrid signcryption is an attractive approach in the design of signcryption schemes. It follows the idea of hybrid encryption discussed in many works [17, 18, 28, 27, 15, 1, 5, 24]. Hybrid encryption consists of an asymmetric key encapsulation mechanism (KEM) and a symmetric data encapsulation mechanism (DEM). The first formal treatment of security of signcryption has been done by Dent [19, 20]. Some other related works are [14, 37, 31, 16]. Converting a hybrid encryption scheme to hybrid signcryption turns out to be much trickier than it looks. The main difficulty is an increase in complexity of analysis that results from a more complex adversarial model. It is necessary to consider not only straightforward attacks against authenticity and confidentiality of messages but also more intricate issues such as distinction between outsider and insider attacks. Moreover, CtS&E-type compositions are always preferred as a base for constructing secure KEMs.
1.2 Limitation of existing schemes
A majority of signcryption schemes follow the sequential designs StE or EtS. Note that all schemes for hybrid signcryption with KEM/DEM [19, 20, 14, 16] follow the sequential design. The sequential design limits the efficiency of signcryption. This limitation can be lifted by using the CtS&E composition, which performs encryption and signing in parallel and independently from each other. Many signcryption schemes are built using some specific intractability assumptions (for example, intractability of discrete logarithm [38, 4, 29]). These constructions are not generic as the assumptions limit the choice of underlying encryption and signature schemes. Constructions for hybrid signcryption are generic, but they require stronger security properties from key and data encapsulation mechanisms. For example, a recent generic hybrid signcryption scheme given by Chiba et al.  requires an IND-CCA secure KEM, a one-time secure symmetric-key encryption, a one-time secure message authentication code and a strong existentially unforgeable signature scheme. These requirements are much stronger than those needed in already available non-hybrid schemes .
To the best of our knowledge, there is no hybrid signcryption that claims IND-CCA security and existential unforgeability using weak security properties like one-wayness and universal unforgeability. Most of the signcryption schemes require existential unforgeability for the underlying signature scheme, which is a stronger assumption than universal unforgeability. A common method used to build CtS&E-type scheme [33, 30, 22, 34] is an OAEP-type padding. The padding gives rise to some common limitations such as: (1) it restricts message space, (2) it works with deterministic one-way encryption and deterministic signature only and (3) it provides security in the random oracle (RO) model. Unavailability of different types of padding schemes limits the extension of work for the CtS&E composition. Table 1 gives a brief summary of generic signcryption schemes based on CtS&E.
|Schemes||Model||Encryption||Signature||Message length||# of other functions||Signcryption|
|An, Dodis and Rabin||No specific||IND-CCA||UF-CMA||Restricted||Commitment scheme||IND-gCCA/UF-CMA|
|Pieprzyk and Pointcheval||Random oracle||OW-CPA||suUF-RMA||Restricted||3 hash, 1 secret share scheme||IND-CCA/sUF-CMA|
|Dodis et al.||Random oracle||OW-CPA||sUF-CMA||Restricted||1 hash, 1 commitment scheme||IND-CCA/sUF-CMA|
|Unrestricted||1 hash, 1 commitment scheme, symmetric encryption|
|Our result||Ideal permutation||OW-CPA||suUF-RMA||Unrestricted||1 SpongeWrap, 1 sponge function ( 2 hash)||IND-CCA/sUF-CMA|
A randomized padding, like OAEP, is a powerful tool, which converts weakly secure fixed trapdoor one-way functions into public-key encryption that is secure against strong adaptive chosen ciphertext attacks. The padding has been used in signcryption as a part of the commitment scheme in the CtS&E composition. It is known that CtS&E allows the use of weak cryptographic primitives in a generic way to achieve a strong security of signcryption. A good example of such composition is the results by Pieprzyk and Pointcheval [33, 34], which integrate any one-way encryption system (such as the basic RSA) with a weakly secure signature (non-universally forgeable signatures) into a strong chosen-ciphertext secure and existentially unforgeable signcryption in the RO model. The limitation of functionality, like message space restriction or type of encryption scheme, is inherited from the commitment or padding scheme used.
Recently, motivated by the OAEP design, Bansal, Chang and Sanadhya  proposed another type of padding called SpAEP. SpAEP is based on the sponge permutation structure, where permutation is considered as an ideal permutation, and the resulting sponge has no restriction on maximum message space. Unlike KEM-DEM, the SpAEP padding provides a pathway to combine symmetric and asymmetric primitives without a strict delineation. In brief, SpAEP uses a versatile sponge function and SpongeWrap [26, 11, 12] in pipelined fashion, and a portion of its output is used as input to the asymmetric encryption. The padding provides similar security guarantees as OAEP, but it is more efficient. The SpAEP padding can be used with trapdoor one-way permutations only. The sponge-based padding SpAEP  is versatile and has been used in a different security model for asymmetric encryption based on an ideal permutation. The padding scheme supports arbitrarily long messages, uses small domain permutations and applies “on the fly” encryption. Its running time is equivalent to a hash function.
Motivated by versatility of the sponge-based padding and by amplification of security properties (as demonstrated in [33, 34]), we would like to develop a generic signcryption scheme that is secure in the ideal permutation model. We intend to use weak asymmetric primitives such as trapdoor one-way encryption and universal unforgeable signature. The scheme is designed to support arbitrarily long messages. Experimental comparisons of the proposed scheme with existing generic signcryption schemes based on implementation is beyond the scope of this paper. However, a structural comparative analysis is provided in the next section.
1.4 Structural comparison
Generally, runtime performance of any signcryption is determined by processing time of asymmetric primitives, irrespective of underlying message-padding scheme, except perhaps for very long plaintexts (which many existing signcryption schemes do not even support). Therefore, structural efficiency improvement plays a secondary role in overall performance of signcryption, with the primary role being played by the ability to use weaker and faster asymmetric components. Nevertheless, simple and feature-rich message padding is always required to widen the applicability and usability of signcryption.
The proposed scheme uses only one SpongeWrap function and one sponge function. From the efficiency point of view, the proposed scheme is optimal since only a single call of SpongeWrap ( one hash function) is required before parallel encryption and signature. One call to the sponge function is required after asymmetric encryption for a small amount of data. The reverse process features the same kind of optimality. Similar optimality remains while processing arbitrarily long messages. Moreover, the entire message padding scheme is based on the iterative structure of a single forward permutation, which also saves implementation effort.
When compared to other generic schemes, Pieprzyk and Pointcheval  use a hash function, a secret sharing and OAEP (2 hash functions). A similar overhead is seen in the construction proposed by Dodis et al. [23, 22]. A simple practical generic signcryption scheme is proposed by Dodis et al. [23, 22]. The authors proposed a padding scheme called P-pad, which is equivalent to OAEP+ . A detailed comparison of OAEP+ and sponge-based padding (SpAEP) is provided by Bansal, Chang and Sanadhya , which shows sponge-based padding schemes are more efficient and practical compared to OAEP-type padding schemes. In case of arbitrarily long messages, the scheme of Dodis et al. [23, 22] requires an additional symmetric encryption unlike our proposed scheme. These additional requirements of different functions with different input-output settings increase the implementation effort. Therefore, overall, our proposed scheme provides a simple, better and feature-rich message padding scheme for construction of generic signcryption scheme.
In this paper, we make the following contributions.
We present a signcryption scheme in the ideal permutation model using sponge structure. First we propose signcryption for messages of a fixed length. Then we show how to extend it for arbitrarily long messages. With careful analysis, we demonstrate how different combinations of weakly secure probabilistic/deterministic encryption and signature schemes can be used to build strongly secure generic signcryption. To the best of our knowledge, this is the first sponge-based signcryption. We also believe that the proposed signcryption is the first scheme, which allows different combination of weakly secure encryption and signature schemes to yield strongly secure signcryption that supports arbitrarily long messages.
The demands on component security are merely one-wayness for encryption and universal unforgeability for signature. These minimum security requirements are sufficient to achieve indistinguishability and existential unforgeability security against adaptive attacks. Such weak requirements were only fulfilled in [33, 34], but the scope of [33, 34] is limited to fixed message space and deterministic encryption and signatures.
Apart from encryption and signature primitives, our scheme requires an ideal permutation only. The iterative permutation model we use is based on the well-known iterative sponge structure. Note that, after the success of KECCAK  in the SHA-3 competition , the sponge structure is becoming more and more popular and can serve as a “Swiss army knife” in cryptography.
Flexibility of the sponge-based padding allows to scale the system from relatively short messages to long ones while preserving security properties. Besides, the complexity of the security analysis does not increase. Note that some extra redundant data is used in the proposed sponge padding that plays an important role in supporting long messages.
The sponge structure used for message padding resembles the padding proposed in  but differs in two aspects. First, some extra redundant data is used to allow the usage of sponge padding with a signature to provide both unforgeability and confidentiality. Second, while the padding in  applies for deterministic asymmetric encryption only, here we extend the sponge padding, so it also works with probabilistic asymmetric primitives.
Some properties are naturally inherited from the sponge structure. Signcryption offers an “on the fly” computation property during the signcryption and unsigncryption processes. An implementation does not need to use the inverse permutation, which saves implementation effort and memory.
Our signcryption strategy enables unbuffered “on the fly” data processing (a.k.a. “streaming”, “online”, “single-pass” operation) during both the signcryption and unsigncryption processes. This is of significant interest when handling large messages, and one of the differentiating features of our scheme. For the avoidance of doubt, we note that single-pass unsigncryption necessarily requires that the recipient be able to discard an already decrypted stream that ends up failing authentication, with no persistent side-effect, for IND-CCA security. This operational limitation only applies to unsigncryption.
In this work, we use as a security parameter, where is the set of natural numbers. The symbol denotes the bit length of x, and is a concatenation of x and y. If n is a positive integer, then the symbol denotes the set of n-bit strings. We also use to denote the set of binary strings of arbitrary length. represents first r bits of the string X, where . Selecting a uniform and independently distributed variable x from a set I is denoted by .
2.1 Ideal permutation
A permutation π is a bijective function on a finite domain D and range R, where . An ideal permutation is a permutation chosen uniformly at random from all the available permutations. Let , then , where is the collection of all permutations on D. More precisely, is a permutation if, for every , there is one and only one such that .
2.2 Public-key encryption
A public-key encryption scheme Encrypt is defined by the following three algorithms:
the key generation algorithm that produces a pair of public and private keys on input , where k is the security parameter,
the encryption algorithm that outputs a ciphertext c for a message and a public key using random coins (the message and coin spaces and are uniquely determined by ),
the decryption algorithm that recovers a message m from a ciphertext c using a secret key .
We require that an asymmetric encryption scheme should satisfy the following correctness condition. For all , for all generated by and every and , we always have . We denote as a minimum input size and as output size of Enc, where is ciphertext overhead of Enc. The length of is denoted by λ, where . Enc is a deterministic encryption (trapdoor one-way permutation) if it does not require and . If Enc depends upon and , then Enc is a probabilistic encryption (trapdoor one-way function).
The simplest security notion for public-key encryption is one-wayness (OW). This is to say that an adversary cannot recover a plaintext m knowing a ciphertext c and a public key. We denote the maximum probability of success that an adversary can invert the encryption of a random plaintext m in time t by . OW is a minimal security requirement for public-key encryption. A variant of one-wayness is OW-PCA, which has been introduced in  for probabilistic encryption. For this notion, an adversary can additionally access a plaintext checking oracle (). The oracle outputs 1 if a given pair is a valid message/ciphertext pair for Encrypt; otherwise, it returns 0. As shown in , the ElGamal  encryption achieves OW-PCA under the GDH assumption. Clearly, for deterministic encryption, the OW and OW-PCA notions are the same.
A stronger security notion has also been defined. It is the so-called semantic security (a.k.a. indistinguishability of encryptions, IND). This is to say that a ciphertext should not leak any information about the encrypted message. More formally, knowing that a ciphertext is an encryption of one of two known messages, an adversary cannot guess the message with a non-negligible advantage. An adversary is seen as a 2-stage Turing machine (), and the advantage is negligible for any adversary, where
An adversary can try many different attacks. Knowing a public key, the adversary can encrypt any plaintext of its choice. This scenario is called the chosen-plaintext attack and denoted by CPA. Other attacks allow the adversary a restricted or unrestricted access to various oracles. The strongest attack allows the adversary to query the decryption oracle, which can be accessed adaptively in the chosen-ciphertext scenario (denoted as CCA). There is a restriction for queries – any query to the oracle should be different from the challenge ciphertext.
A digital signature Sign consist of the following three algorithms:
GenSign, the key generation algorithm, which, for a security parameter k, outputs a pair of public and private keys,
Sign, the signing algorithm, which takes a message M and the secret key and outputs a signature ,
Ver, the verification algorithm, which accepts a signature σ, a message M and a public key and returns a binary answer (valid or invalid ).
We assume that the signing algorithm takes an input of maximum bits and that it generates a signature of length .
An adversary attempts to forge a signature. The probability of achieving this is assessed via the following game between a probabilistic polynomial time (PPT) adversary and a challenger.
The challenger generates a key pair .
The adversary runs . They have access to an oracle (which will be described below). The adversary terminates by outputting a message and its signature .
In terms of resources, there are two types of attacks. The type of attack specifies the power that the adversary has in the attack.
In a no-message attack (NMA), the oracle gives no response. This is equivalent to an attack model in which the adversary does not have access to the oracle . The adversary knows only the public key of the signer.
In the second, a known-message attack, the adversary has access to a signature oracle providing a list of valid message/signature pairs in addition to knowledge of the public key of the signer. If this list contains random and uniformly chosen messages, then the attack is termed a random-message attack (RMA). If this list contains messages chosen by an adversary, the attack is termed a chosen-message attack (CMA). A chosen-message attack seeks to emulate the normal mode of use of a signature scheme, in which an adversary can observe signatures produced by a legitimate party, perhaps in some adversarial chosen way.
There are two ways, in which we can assess whether the adversary succeeds in forging a signature.
Existential unforgeability (UF) – the adversary wins if it outputs a pair , where and the adversary never queried the signature oracle with the message .
Strong existential unforgeability (sUF) – the adversary wins if it outputs a pair , where the same conditions as for UF hold and, additionally, the adversary never received the response .
In case of a finite message space , we may consider a weaker security notion. For the success criteria, we may ask the adversary to produce a forged signature for a randomly chosen message . This leads us to a new game played by a probabilistic and polynomial-time adversary.
The challenger generates a key pair and a message .
The adversary runs . It has access to an oracle . The adversary terminates by outputting a signature .
We may define two success criteria for this security game.
In the universal unforgeability (uUF) game, the adversary wins if and the adversary never queried the signature oracle with the message .
In the strong universal unforgeability (suUF) game, the adversary wins if and the adversary never queried the signature oracle with the message nor received the response .
We say a signature is deterministic if signing a message multiple times results in the same signature. We say a signature is probabilistic if signing a message twice results in different signatures with overwhelming probability.
2.4 Signcryption: Joint encryption and signing
A signcryption scheme SignCrypt is defined by the following three algorithms:
Gen, the key generation algorithm, which outputs a pair of keys for a security parameter k, where is the user’s sign/decrypt key, which is kept secret, and is the user’s verify/encrypt key, which is made public,
SignEnc, the encryption and signing algorithm, which, for a message M, the public key of the receiver and the private key of the sender , produces a signed ciphertext ,
VerDec, the decryption and verifying algorithm, which, for signed ciphertext Y, the private key of the receiver and the public key of the sender, recovers the message . If this algorithm fails either to recover the message or to verify its authenticity, it returns .
We can combine classical security notions of signature and encryption to form a security notion of signcryption under adaptive attacks. Given access to public information and oracle access to the functionalities of both sender S and receiver R, the adversary attempts to break
authenticity (UF): coming up with a valid signed ciphertext of a new message, and thus provide an “existential forgery”,
privacy (IND): breaking the “indistinguishability” of signed ciphertexts.
In the security analysis, the adversary may be one of S or R. So S may want to break the privacy, or R may want to break authenticity. If signcryption prevents existential forgeries and guarantees indistinguishability in the above attack scenarios (with chosen-message attacks CMA, or adaptive attacks AdA), we say the scheme is secure.
A signcryption scheme is secure if it achieves IND/UF under adaptive attacks.
3 Sponge-based padding
Sponge-based padding consist two functions: SpWrap and Sponge. SpWrap and Sponge take some of their length parameters from Encrypt and Sign used in SIGNCRYPT.
This function is based on an iterated ideal permutation with an initial value . It is a tuple of two algorithm SpWrap.Enc() and SpWrap.Dec().
On an input message M from message space , SpWrap.Enc() gives the output using a random K from the keyspace . SpWrap.Enc() takes the input message M, , K and some length parameters like . The output of SpWrap.Enc() is , where and . SpWrap.Dec() takes a ciphertext , , K and some length parameters like as input. The output of SpWrap.Dec() is M or .
SpWrap uses a structure similar to SpongeWrap , but its message padding is a little more specific than the general injective reversible padding used in SpongeWrap. After applying injective reversible padding to the input message, which is required for smooth functioning of the sponge structure, we specifically add a -bit block before the specific length . This addition of an extra block is required during parallel signcryption to prevent some trivial forgery attack, which we will discuss later during the proof.
This function works exactly like the sponge function in . Sponge has fixed b-bit initial value , which is different from the of SpWrap. In Sponge, we take , where . Sponge takes as input and outputs the k-bit tag value h. We define the Sponge function based on π as follows:
One useful property of SpWrap is its bijection. Considering a fixed for SpWrap, each query to SpWrap.Enc() has a fixed chain of internal variables because of the permutation π. Therefore, every query will have its unique set of state values. No two different queries can have a similar whole set of state bits. The first point of difference between two queries will create diversion in the set values because of the permutation π.
4 Parallel signcryption: SIGNCRYPT
In this section, we describe our proposal of parallel signcryption using sponge-based padding. To keep this scheme simple, we start with a restricted message space and a deterministic signature scheme. We remove these conditions in Section 5.
Building blocks of parallel signcryption SIGNCRYPT are
an encryption scheme ,
a signature scheme ,
a permutation (assumed to behave like an ideal permutation),
for k-bit security of parallel signcryption, π having sufficient such that it should provide at least k-bit security,
assuming and for some positive integers ,
a public function ID, which maps the public key of any user A to a unique -bit string in a compatible string format as , the communicating parties are denoted as sender S and receiver R,
the length of a message M is .
Algorithm (Key generation: ).
Sender S generates and receiver R generates . The sender keys are , and the receiver keys are . Accordingly, and . Using the function ID, the unique identities of sender S and receiver R will be and , respectively.
Algorithm (Encrypt and sign: ).
Compute , where , , , and r is the input rate of π.
Parse into , i.e., , where , .
Calculate (in parallel) , .
Calculate , .
The final output is sent to the receiver R.
Algorithm (Decrypt and verify: ).
Calculate (in parallel) , . Ver returns either valid, , or if the signature is invalid. In case of returning , the decryption and verify algorithm VerDec returns and stops.
If Ver returns , then calculate and .
Set , and set , .
Compute . Return if ; else return .
4.2 Security of parallel signcryption
Security of signcryption has two facets, namely, IND-CCA security and unforgeability under adaptive chosen message attack (UF-AdA). Before proceeding to the details of our proofs of each part individually, we provide a bird’s eye view of each proof.
If the encryption scheme is OW-PCA and the signature scheme is deterministic uUF-RMA, then the parallel signcryption scheme described in Section 4.1 is IND/UF-AdA secure.
The following lemma can be derived from Theorem 4.1.
If there exists an adversary against the UF-AdA security of the parallel signcryption scheme with advantage (whose running time is bounded by t and who makes at most queries to the permutation and queries to the signcryption oracle and queries to the unsigncryption oracle), then there exists an adversary against the uUF-RMA security of the signature scheme with advantage (whose running time is bounded by , where τ denotes the maximal running time of the encryption and signing algorithm) for which
where is total number of π queries, including the queries by adversary, signcryption and unsigncryption oracles.
We are dealing with the insider security model; the adversary has a target sender in mind and it knows the sender’s public key . The adversary has access to the signcryption oracle under . In the multi-user setting, many receivers with different IDs are taken into consideration.
We make the subsequent changes in the permutation π such that π gives a permutation response for each new query but r bits out of the b-bit output are random. Likewise, c bits out of the b bit output are always different for new input. The bound of these changes will be , where is the number of total queries on π. In an abstract way, this bound includes collision over the b-bit and c-bit outputs of π.
We start making changes in the SignEnc oracle. We try to make the output of the SignEnc oracle random by using a random output of π. We use the message/signature pair list Signlist having elements, where messages are chosen at random and signatures are calculated based on . Because we are working in the multi-user security model, SignEnc accepts different receiver’s IDs along with M. Finally, SignEnc can respond with random output using a pre-computed Signlist, likewise independent of . The bound of changing the original response with a random response comes out to be . This bound captures the probability of guessing the randomness K used during the number of signcryption queries .
We modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to the universal forgery on Ver. Whenever we discuss a forgery, we consider in VerDec given by an adversary with target sign-ciphertext and related and for target sender . For detecting a valid forgery, we cross-check the set consisting of the input/output of π during unsigncryption against a set and consist of the input/output of π maintained by the adversary and the signcryption oracle, respectively. Let be the number of unsigncryption queries, and let be the number of signcryption queries. We show that if , then this is not an existential forgery. We show that if or , then the probability of having an existential forgery is negligible. The bound for these changes comes out to be . This bound captures the probability of producing a target collision on T or a target collision on the input of Ver or creating a signature on random input of Sign.
During the unforgeability proof, it is natural to assume that the encryption scheme is following trapdoor one-wayness and its correctness condition.
For a detailed proof, see Appendix A.
If the encryption scheme follows OW-PCA and the signature scheme is uUF-RMA, then the parallel signcryption scheme is UF-AdA.
If the encryption scheme follows OW-PCA, and the signature scheme is suUF-RMA, then the parallel signcryption scheme is UF-AdA.
If the encryption scheme is deterministic and follows one-wayness, and the signature scheme is suUF-RMA, then the parallel signcryption scheme is sUF-AdA.
Corollaries 4.4 and 4.5 have a difference in achieved security because of the probabilistic and deterministic nature of the encryption scheme. This is mainly because the encryption scheme that follows OW-PCA includes some probabilistic asymmetric encryption schemes, which have a re-randomization problem. In re-randomization, for the same input to an asymmetric primitive, a different output value could be generated. In such a case and because of the insider security model, an adversary attacking the unforgeability of SIGNCRYPT can produce a different sign-ciphertext for the same input message, which is queried earlier. For example, for a query , the output is for some K. Using insider knowledge and the probabilistic nature of asymmetric encryption, a new, valid output could be for the same K and . Such a valid pair is allowed as part of forgery in sUF, but not in UF. Therefore, in Corollary 4.4, Sign follows suUF-RMA, but overall SIGNCRYPT follows only UF-AdA. If the encryption scheme is deterministic, then the above attack is not valid, and SIGNCRYPT can benefit from suUF-RMA. A summary of the above discussed corollary is shown in Table 2.
The following lemma can be derived from Theorem 4.1.
Consider an adversary against the IND-CCA security of the parallel signcryption scheme with advantage whose running time is bounded by t and which makes at most queries to the permutation oracle and queries to the unsigncryption oracle. Then there exists an adversary against the OW-PCA security of the public-key encryption scheme with advantage and whose running time is bounded by , where τ denotes the maximal running time of the decryption and verification algorithms, for which
where is the total number of π queries, including queries by the adversary (), signcryption and unsigncryption oracles, and .
We are dealing with the insider security model in the multi-user setting; the adversary has a target receiver in mind. The adversary knows the receiver’s public key and has access to the VerDec oracle under . Further, we assume that an adversary observed queries to the VerDec oracle. Adversary has also chosen a pair of messages and and a key pair for . It receives a ciphertext under of either or . The unknown message is denoted by , where d is the bit that adversary wishes to find out.
We make the subsequent changes in the permutation π such that π gives a permutation response for each new query, but r bits out of the b-bit output are random. Likewise, c bits out of the b-bit output are always different for new input. This part remains the same as for unforgeability.
We modify the unsigncryption oracle such that it nullifies those queries to the unsigncryption oracle about which the adversary does not know an answer in advance with the help of the π query and which can be simulated without using the private key of the receiver . If , then the probability that the adversary can get an answer from the unsigncryption oracle is bounded by , which includes target collision on T for the number of unsigncryption queries . Unlike unforgeability, the adversary is allowed to generate a valid signcryptext, but only those will be valid about which the adversary already knows the answer.
We modify the signcryption oracle using the random response of π. This will lead to simulating the signcryption oracle returning a random response. This change will be bounded by the probability of guessing the randomness K used by an adversary or the advantage of an OW-PCA adversary breaking the one-wayness (OW).
The privacy proof of the scheme depends upon the probabilistic or deterministic nature of the underlying signature scheme. During the proof, we assume that the signature scheme is deterministic and follows the correctness condition. In subsequent sections, we show how we can remove this assumption on the signature scheme.
If the encryption scheme is OW-PCA and the signature scheme is deterministic, then the parallel signcryption scheme is IND-CCA.
This corollary follows directly from Lemma 4.6.
If the encryption scheme is deterministic OW-CPA and the signature scheme is deterministic, then the parallel signcryption scheme is IND-CCA.
This corollary follows a sub-class result of Corollary 4.7, where the deterministic OW-CPA secure encryption scheme also follows OW-PCA.
Next, Corollary 4.9 is another representation of Corollaries 4.7 and 4.8, where we say only suUF-RMA signature schemes are valid for security because a deterministic uUF-RMA secure scheme also follows suUF-RMA.
If the encryption scheme is deterministic OW-CPA and the signature scheme suUF-RMA, then the parallel signcryption scheme is IND-CCA.
Corollaries 4.4 and 4.7 together give Theorem 4.1. Corollaries 4.5 and 4.9 together give the following theorem, Theorem 4.10. A summary of the corollaries related to the privacy proof of SIGNCRYPT is shown in Table 3. A gap in the results, where probabilistic Sign following uUF-RMA does not provide security to SIGNCRYPT will be addressed in the next section.
If the encryption scheme is deterministic OW-CPA and the signature scheme is suUF-RMA, then the parallel signcryption scheme is IND/sUF-AdA secure.
The proof of this theorem exactly follows the proof of Theorem 4.1, except that we now assume that Sign is suUF-RMA secure and Encrypt is also deterministic OW-CPA.
5 Extension of parallel signcryption
In Section 4, we saw two limitations of SIGNCRYPT. First, it does not support probabilistic Sign, where the same input can give two or more different signatures. Second, there is a restriction on the maximum message length. In this section, we discuss how to extend the usage of the parallel signcryption SIGNCRYPT in case of probabilistic Sign and in case of arbitrarily long messages.
5.1 Using probabilistic Sign
Probabilistic Signis not supported in the proposed scheme because we assumed Sign is deterministic and, for the same input, two different signatures are not considered. In cases where a probabilistic Sign scheme needs to be used, IND-CCA security of SIGNCRYPT will no longer be valid under the proposed scenario because now an insider adversary can simply produce another signature σ on of the challenged signed ciphertext and submit to VerDec. This will lead to knowing bit d of with probability 1 without violating the IND-CCA experiment. This attack case can be handled easily in two ways.
Relaxing IND-CCA experiment to IND-gCCA : Consider the challenged signed ciphertext as two parts. The first one is the ciphertext , and the second one is the signature . Imposing a restriction on the adversary attacking the IND-CCA security, not only can the challenged signed ciphertext not be queried to the decryption oracle, but those queries that result in the same as the challenged ciphertext are also prohibited. A query to VerDec having the challenged ciphertext could be easily determined by using the public key of the sender as verification key.
This change in the IND-CCA experiment is similar to IND-gCCA proposed in . An, Dodis and Rabin  proposed this IND-gCCA notion specifically for signcryption in a more formal way to avoid the trivial attack discussed above. By following the IND-gCCA security experiment in , we can propose another corollary from Lemma 4.6.
If the encryption scheme is OW-PCA and the signature scheme is unforgeable, then the parallel signcryption scheme is IND-gCCA.
This corollary can be combined with corollaries from Lemma 4.2 and different, new results can be achieved.
Include σ also as part of the input in Sponge. This inclusion of σ in Sponge will bind σ to a particular K, like in the case of . Now the above discussed attack will not work because a different σ will lead to a different K. This change is more simple compared to the IND-gCCA security notion requirement. This change is initially not included in the proposed scheme with the intention to keep the proof simple and straight. Inclusion and reason of this proposed change helps in understanding about IND-gCCA and as input to Sponge.
5.2 Arbitrarily long messages
An arbitrarily long message can be supported in SIGNCRYPT without any major structure modification. Earlier, when . If , then , where , , and the final output of SIGNCRYPT is .
Caution. It is essential that if , then , not, where is the input of Enc and is the input of Sign. This requirement to perform signing on the last part of the data arises in signcryption to prevent a trivial forgery attack by an insider adversary. In case where Sign is performed on data subsequent to Enc data, like , then the adversary can replace and accordingly T using , and of Enc. This modification will lead to a trivial forgery.
With this proposed change from solution 2 and support of long messages, we call SIGNCRYPT a generic version of SIGNCRYPT. A graphical representation of generic signcryption is shown in Figure 3.
Theorem 4.1 can be modified for SIGNCRYPT as follows:
If the encryption scheme is OW-PCA and the signature scheme is (uUF,suUF)-RMA, then the parallel signcryption SIGNCRYPT scheme is IND-CCA/(UF,sUF)-AdA secure.
If we follow the proof of Lemma 4.2, after game G5, we can clearly see that the output of π is random. Following random π, the output h of Sponge is also random. Even if the adversary tries to use another σ for the same , this will result in a change of h that leads to random K and , and the adversary needs to produce a target collision over that T or K. This case is already included in the proof when and .
For IND-CCA security of SIGNCRYPT, we can follow the proof of Lemma 4.6 including extra cases when Encrypt and Sign are probabilistic. In order to get information about , now the adversary tries to produce different for the same or different σ for the same . Either of these cases will change the value of , which reduces the problem again of having a collision on T or having knowledge of . This results in the same bound on IND-CCA2 as for SIGNCRYPT.
Therefore, regarding IND-CCA of SIGNCRYPT, the addition of Sponge is a dummy operation compared to SIGNCRYPT for outputting T, but its usage protects σ of Sign and outputs of Encrypt by making them dependent on a particular K. This dependency provides IND-CCA security for SIGNCRYPT in a similar way for SIGNCRYPT.
The combination of an encryption and a signature scheme yields a signcryption scheme. The extra burden of satisfying both privacy and unforgeability against insider adversaries increases the complexity of proving that the system is secure and efficient. This complexity brings limitations on the signcryption scheme in terms of the needed security assumptions, security achievement and efficiency to balance each other. Message pre-processing is found to be an attractive way to build a secure and efficient signcryption scheme. These message pre-processing techniques are found to be inflexible, which disallows their improvement in different scenarios like long message length, different types of underlying encryption and signature schemes, insider security, efficient computation in parallel, etc.
The versatile nature of the sponge structure enable us to modify message pre-processing efficiently. This efficient message pre-processing helps us to build a secure signcryption scheme achieving a higher security level using a weakly secure encryption and signature scheme. We also found that the probabilistic and deterministic nature of the signature scheme plays an important role in the privacy of the signcryption scheme, but the same is not true for unforgeability with respect to the encryption scheme. At the end, we were able to find a signcryption scheme that can perform efficiently without compromising its security. The proposed scheme is highly customizable as it allows to use weakly secure schemes and different types of the underlying encryption and signature schemes.
Funding source: Australian Research Council
Award Identifier / Grant number: FT140101145
Award Identifier / Grant number: DP180102199
Funding source: Narodowe Centrum Nauki
Award Identifier / Grant number: DEC-2014/15/B/ST6/05130
Funding statement: Xavier Boyen is supported by Australian Research Council Future Fellowship grant FT140101145. Josef Pieprzyk was supported by Polish National Science Centre grant DEC-2014/15/B/ST6/05130 and Australian Research Council Discovery grant DP180102199.
A Proof of Lemma 4.2
We consider an experiment similar to UF-AdA as described in Section 2.3. We follow the subsequent experiment for UF-AdA security of SIGNCRYPT against adversary .
The advantage of adversary is given by
We use a game-based proof framework . We are dealing with the insider security model; the adversary has a target sender in mind and it knows the sender’s public key . The adversary has access to the signcryption oracle under . We denote the winning event of forging a signcryptext in game i by .
Game G0 represents the original signcryption game for UF-AdA. The adversary issues queries on the signcryption oracle specifying the receiver in each query using . Adversary ’s target is to give a target and a signed ciphertext such that , where should not be queried by to SignEnc. Adversary might ask or to SignEnc. Therefore,
From G0 to G4, we make successive changes in the permutation π. The modified π gives a permutation response for each new query such that r bits out of the b-bit output are random. Likewise, c bits out of the b-bit output are always different for new input. This helps us to exploit the permutation property of Sponge and make an output C deterministic for a specific input K, M and . Any change in either of the four values will make at least one value random. Here “any change” implies, while establishing a relation between , if any input/output pair of π is not defined already, then essentially one of the parts is new or randomly generated.
Games G1 and G2. We start making changes in the permutation π. In G1, we take the response of π randomly and differently from the previous responses using the set . In G2, π queries are simulated as a random function, that is, for every new input, the output is random, which does not need to be different. So, in G2, π gives a random response without cross-checking it in the previous input/output response list . G1 and G2 remain identical until the output of the π query collides with any of the previous outputs. This collision is denoted as the event bad. The probability that a random response chosen as the output of π will collide with any previous response is , where is the total number of queries on π (and ), either from oracle calls by a different oracle or by the adversary . Therefore, .
Games G3 and G4. G3 remains the same as G2. In G3, we split up the output v of π in input rate and capacity rate . We also have a set , which initially consists of and . The output v of π is chosen at random from the previous outputs. We mark an event as in case is part of any previous output, . In G4, π is converted back to a permutation from a random function. Now, in G4, if happens, then is chosen again randomly from its set, but rejecting the values already in the set .
So, in case of , the input rate part of π’s output is random and the capacity part is different from all previous capacity parts of the outputs. In G4, π works again as an ideal permutation, but the permutation is happening over the capacity parts of the output. After every query, the sets and are updated according to the input/output response of π. The probability of will be . Therefore, .
From G5 to G9, we start making changes in the SignEnc oracle. We try to make the output of the SignEnc oracle random by using a random output of π. We use the message/signature pair list Signlist having elements, where messages are chosen at random and signatures are calculated based on . In the last SignEnc, it can respond with random output using a pre-computed Signlist, likewise independent of .
Games G5 and G6. G5 is the same as G6. In G6, in SignEnc, we add a dummy random string equivalent to the length of , shown as dashed box. G5 and G6 are the same except for some dummy lines that are added in G6 at step 4 and 5 in SignEnc. In these dummy lines, is chosen at random, and is split into , where and each .
Games G6 and G7. In G7, we change the response of π according to such that SpPad.Enc outputs for M on K. As we already know, the r-bit part of the b-bit output of π is random. Therefore, we can replace the random output x of π with another random value . Such a change will produce as the output response of π from its “for” loop. Now , and this is used for calculating encryption and signature for the final output. Here , and . We store the input/output response of π, called in SignEnc, in a set .
This change of response might fail if the response of the first π call using K in SignEnc is already defined by the query in using and publicly known and IDs. Because if the first response of π using K in SignEnc goes collision free, then all successive responses will be new due to the permutation property. Therefore, the probability of failure of this response change in G7 for queries is . Therefore, .
Games G7 and G8. In G8, we chose a new message/signature pair from Signlist at random. We replace the chosen message from Signlist with of π loop’s (SpPad) output. In G8, before starting to calculate SpPad and after generating , we set . Then we replace with of the (message/signature) pair list, and then again set . The rest of the code remains the same as G7. Here we replace a random with a random of Signlist and calculate the rest as in G7. Because both and are random, no difference will arise in games G7 and G8.
Games G8 and G9. In G9, the code remains the same as in G8; instead of calculating , one can simply replace this operation with a pre-calculated for from Signlist. Now SignEnc is independent of of Sign and later available to adversary for a uUF-RMA attack on Sign.
From now on, we start making changes in the VerDec oracle.
Game G10. In G10, we add some dummy lines, which does not affect the UF-CMA experiment of the game, and G10 remains the same as G9. In G10, we modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to universal forgery on Ver. Whenever we discuss a forgery, we consider in VerDec and related and for the target sender .
We set flag to a boolean value old initially, and set it to new in case the input/output response of π during VerDec does not belong to . Here signifies that the input to VerDec is the output of SignEnc for some i-th query in case , or all of π’s input/output responses are already known to adversary in if . Similarly, if flag becomes new, then one of the values of π in VerDec is new with regard to SignEnc. In case validation passed for , then essentially the answer M is not queried before SignEnc, and one of the values from is used differently compared to any value in the output of SignEnc.
A forgery is assumed to be valid only when and happens under for . We try to detect a forgery based on a randomly chosen known input of Ver.
Game G11. In G11, we return in case . Here the difference between G10 and G11 is the probability of in case .
In case validation passed for , then essentially the answer M is not queried before SignEnc, and one of the values from π is freshly defined. This leads to a target collision on the proposed T in the input to VerDec. This happens with a probability of . Therefore, .
Game G12. G12 is the same as G11 except for some dummy lines of code added, shown in dashed boxes.
Initially, a random of length is chosen. In case this appears in SignEnc during answering a query, we abort SignEnc from answering. The probability of such happening is , and this event is not helpful in the forgery because such a query does not provide any information to adversary .
We also mark a dummy event as trueif, during the VerDec query, and for . This event signifies that the adversary has provided a valid signature on a randomly chosen for a targeted of sender and receiver. Later, we show that the probability of such being trueis equivalent to .
We also mark an event as in case VerDec returns M if is true and flag is still old.
Game G13. In G13, we return instead of M in case . We check the probability of this bad event happening. This event is possible in either of two cases. We denote the first case as and the second case as , e.g., .
The probability of is as follows. This is the case when the adversary has generated a valid ciphertext using an individual query to with the help of a known message/signature pair. Adversary could use custom K, and values of so that adaptive calls of will produce the desired with known σ and some random T. Here comes the part of special addition of an string block in message padding during checkin and checkout. This block forces to select a particular K and values of such that, after producing , the next output of should be equivalent to the first r-bit of . This is essential to pass the checkout function. The probability of this happening is for the available message/signature pairs through SignEnc queries.
The probability of is as follows. This case happens when the adversary has generated a valid ciphertext using having known an individual query to and without the help of a known message/signature pair by generating a valid signature for random . This could happen as follows: The adversary asks queries to π for some random K, and custom ’s according to the checkout function to generate random , , and , which will also validate upon verification. Now, in order to pass the validation of Sign, needs to have a valid signature over Sign for random . Because knows the targeted message before generating the signature, this becomes equivalent to universal forgery for a random message. Therefore, .
Therefore, the adversary needs to produce either a collision over the r-bit of using a π query and known or, alternatively, produce a valid signature over random , which is the output of π queries. Therefore, if the adversary passes the checkout function, then essentially produces the collision. The probability of such a collision happening is . Therefore, .
Games G14 and G13. G14 is the same as G13. G14 is the final ideal game, and we simplify the cases by merging the bad event with the event because, in both events, VerDec is returning . Now flag is set to newin case or , and VerDec returns if flag is new. Return of M will happen only if flag is oldand validation of T passed. Now, essentially, will get for all his queries unless either he produces a valid signature on any random not queried before or he queries the output of SignEnc. ∎
B Proof sketch of Lemma 4.6
Proof of Lemma 4.6.
We consider the following experiment for IND-CCA security of SIGNCRYPT against adversary .
The advantage of adversary is given by the probability
We are dealing with the insider security model in the multi-user setting; the adversary has a target receiver in mind. The adversary knows the receiver’s public key and has access to the VerDec oracle under . Further, we assume that an adversary observed queries to the VerDec oracle. Adversary has also chosen a pair of messages and and a key pair for . It receives a ciphertext under of either or . The unknown message is denoted by , where d is the bit the adversary wishes to find out. Adversary outputs a bit , which is equal to d with the advantage ϵ, i.e., . In the following, we use an asterisk for all internal values used in computing the challenged signcryption.
where is a negligible function and . In each game, the following set is maintained: I by π, by , and Y stores the capacity c-bit values upon each query to π.
We modify SIGNCRYPT into a sequence of games G0, G1, …, G12 such that
Games G0 to G5. From G0 to G5, exactly the same changes follow as in the proof of Lemma 4.2. Therefore,
In G5, the game maintains an extra set , which stores the input/output response of π (as ) during the SignEnc challenge query.
Games G5 and G6. Both games are the same. In G6, a dummy operation of is added in the VerDec oracle to denote a new query. The query is new in the sense that neither the query nor any part of the query during internal calls to π was queried earlier by the adversary. That is, if any π’s responses are not in . Now the code of G6 can check the condition in the cases and separately. If and , then we mark this event as because is just a dummy event and the return of VerDec in G6 is not affected. Therefore, .
Games G6 and G7. In G7, in VerDec, we return instead of M in case is true. Therefore,
Let , where and . In VerDec, an input is a new query to π when and an old query when . If a new query is input to π during VerDec, then π outputs , where . That is, is also new. Since is unseen so far, this ensures that the input to the next call of π is certainly new. Further, since is new, the next input satisfies the condition , where stands for any b-bit value. Therefore, one new query makes all subsequent inputs to new. We already know that, for any new query, the r-bit response of π is random. Therefore, in case , the probability of is equivalent to a collision over the k-bit T value. Therefore, for VerDec queries. Therefore,
Now if this bad event does not happen, then G7 will return M only in case all π responses are already known to . Consecutively, already knows the answer of VerDec with the help of π queries and available Sign, Ver and Enc functions.
Game G8. Both games are the same. G7 and G8 both return when a new query is given to the VerDec oracle. In G8, a message M is returned only when all the input/output relations of π, which would be possible during the encryption of M, are already in . G8 iterates over all the possible input/output pairs of , initially using and , and tries to find an such that . In the positive case, it further calculates K and then tries to find all pairs of input/output responses, which reach to T via . If any of the responses is missing, then VerDec simply rejects the query. Due to the insider model, a faithful assumption on the signing algorithm is that, for the same input, two different signatures cannot be generated. We will discuss the impact of this assumption later, after the proof.
Games G8 and G9. We start incremental changes in the SIGNCRYPT oracle from G9. In G9, is chosen before the signcryption query and after the “find” stage. In both cases, remains random, and therefore
Some extra dummy variables , along with , are also chosen after the find stage but not used. A dummy value is calculated on using Enc.
Games G9 and G10. In G9, is generated randomly. In G10, is computed using the value of randomly generated , and . The value of is calculated via , where . Here represents the sponge function with using the permutation . Since π is an ideal permutation and is a random value, will also be random. Therefore, G9 and G10 are the same,
Game G11. In G10, during signcryption was calculated using and the r-bit random output of π. In G11, we directly allocate random , , , values to the signcryption oracle. Earlier, in G10, during signcryption, has a relation with , whereas, in G11, there is no relation between and . This gap can only be exploited if is known to adversary and queried to π. We mark this query by to π as . Therefore, . If this event does not happen, then essentially , , , will be random and also independent from .
Game G12. This is the final game of adversary . It is the same as G11; if does not happen, then essentially remains unknown to the adversary along with . The event in G11 is the same as in G12 because the sign-ciphertext is random and independent of ; therefore
The probability of is
where implies that all the input/output relations of are also known to the adversary via the set . Therefore, knows all for and . Moreover, the adversary learns from of the challenged ciphertext.
Given , if is queried to π, then it reveals completely. Therefore,
where implies that one of the inputs to is unknown to the adversary . This results in an unknown output value from . Since is already random, therefore remains unknown and random to . Since and are public, the query to is equivalent to random guessing of .
The last game G12 can be used to simulate adversary for simulating adversary ’s queries. Here the adversary tries to recover the first k bits from the input to Enc on given random y and other public information. ∎
 J. H. An, Y. Dodis and T. Rabin, On the security of joint signature and encryption, Advances in Cryptology – EUROCRYPT 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 83–107. 10.1007/3-540-46035-7_6Search in Google Scholar
 C. Badertscher, F. Banfi and U. Maurer, A constructive perspective on signcryption security, Security and Cryptography for Networks – SCN 2018 Lecture Notes in Comput. Sci. 11035, Springer, Berlin (2018), 102–120. 10.1007/978-3-319-98113-0_6Search in Google Scholar
 J. Baek, R. Steinfeld and Y. Zheng, Formal proofs for the security of signcryption, Public Key Cryptography – PKC 2002 Lecture Notes in Comput. Sci. 2274, Springer, Berlin (2002), 80–98. 10.1007/3-540-45664-3_6Search in Google Scholar
 J. Baek, W. Susilo, J. K. Liu and J. Zhou, A new variant of the Cramer–Shoup KEM secure against chosen ciphertext attack, Applied Cryptography and Network Security – ACNS 2009 Lecture Notes in Comput. Sci. 5536, Springer, Berlin (2009), 143–155. 10.1007/978-3-642-01957-9_9Search in Google Scholar
 T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015 Lecture Notes in Comput. Sci. 9144, Springer, Berlin (2015), 93–106. 10.1007/978-3-319-19962-7_6Search in Google Scholar
 M. Bellare and P. Rogaway, Optimal asymmetric encryption, Advances in Cryptology – EUROCRYPT 1994, Lecture Notes in Comput. Sci. 950, Springer, Berlin (1995), 92–111. 10.1007/BFb0053428Search in Google Scholar
 M. Bellare and P. Rogaway, The exact security of digital signatures - how to sign with RSA and rabin, Advances in Cryptology – EUROCRYPT 1996, Lecture Notes in Comput. Sci. 1070, Springer, Berlin (1996), 399–416. 10.1007/3-540-68339-9_34Search in Google Scholar
 M. Bellare and P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, Advances in Cryptology – EUROCRYPT 2006, Lecture Notes in Comput. Sci. 4004, Springer, Berlin (2006), 409–426. 10.1007/11761679_25Search in Google Scholar
 G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2011), 320–337. 10.1007/978-3-642-28496-0_19Search in Google Scholar
 G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Permutation-based encryption, authentication and authenticated encryption, preprint (2012). Search in Google Scholar
 G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Keccak, Advances in Cryptology – EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Berlin (2013), 313–314. 10.1007/978-3-642-38348-9_19Search in Google Scholar
 T. E. Bjørstad and A. W. Dent, Building better signcryption schemes with tag-kems, Public Key Cryptography – PKC 2006, Lecture Notes in Comput. Sci. 3958, Springer, Berlin (2006), 491–507. 10.1007/11745853_32Search in Google Scholar
 T. E. Bjørstad, A. W. Dent and N. P. Smart, Efficient KEMs with partial message recovery, Cryptography and Coding, Lecture Notes in Comput. Sci. 4887, Springer, Berlin (2007), 233–256. 10.1007/978-3-540-77272-9_15Search in Google Scholar
 D. Chiba, T. Matsuda, J. C. N. Schuldt and K. Matsuura, Efficient generic constructions of signcryption with insider security in the multi-user setting, Applied Cryptography and Network Security – ACNS 2011, Lecture Notes in Comput. Sci. 6715, Springer, Berlin (2011), 220–237. 10.1007/978-3-642-21554-4_13Search in Google Scholar
 R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Advances in Cryptology – Crypto 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 13–25. 10.1007/BFb0055717Search in Google Scholar
 A. W. Dent, Hybrid signcryption schemes with insider security, Information Security and Privacy – ACISP 2005, Lecture Notes in Comput. Sci. 3574, Springer, Berlin (2005), 253–266. 10.1007/11506157_22Search in Google Scholar
 A. W. Dent, Hybrid signcryption schemes with outsider security, Information Security – ISC 2005, Lecture Notes in Comput. Sci. 3650, Springer, Berlin (2005), 203–217. 10.1007/11556992_15Search in Google Scholar
 Y. Dodis, M. J. Freedman, S. Jarecki and S. Walfish, Versatile padding schemes for joint signature and encryption, Proceedings of the 11th ACM Conference on Computer and Communications Security – CCS’04, ACM, New York (2004), 344–353. 10.1145/1030083.1030129Search in Google Scholar
 M. P. Guido Bertoni, Joan Daemen and G. V. Assche, Sponge functions, ECRYPT Hash Function Workshop, 2007. Search in Google Scholar
 E. Kiltz, Chosen-ciphertext security from tag-based encryption, Theory of Cryptography – TCC 2006, Lecture Notes in Comput. Sci. 3876, Springer, Berlin (2006), 581–600. 10.1007/11681878_30Search in Google Scholar
 K. Kurosawa and Y. Desmedt, A new paradigm of hybrid encryption scheme, Advances in Cryptology – CRYPTO 2004, Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 426–442. 10.1007/978-3-540-28628-8_26Search in Google Scholar
 B. Libert and J. Quisquater, Efficient signcryption with key privacy from gap diffie-hellman groups, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 187–200. 10.1007/978-3-540-24632-9_14Search in Google Scholar
 J. Malone-Lee and W. Mao, Two birds one stone: Signcryption using RSA, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci. 2612, Springer, Berlin (2003), 211–225. 10.1007/3-540-36563-X_14Search in Google Scholar
 T. Matsuda, K. Matsuura and J. C. N. Schuldt, Efficient constructions of signcryption schemes and signcryption composability, Progress in Cryptology – INDOCRYPT 2009, Lecture Notes in Comput. Sci. 5922, Springer, Berlin (2009), 321–342. 10.1007/978-3-642-10628-6_22Search in Google Scholar
 T. Okamoto and D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, Topics in Cryptology – CT-RSA 2001, Lecture Notes in Comput. Sci. 2020, Springer, Berlin (2001), 159–175. 10.1007/3-540-45353-9_13Search in Google Scholar
 J. Pieprzyk and D. Pointcheval, Parallel authentication and public-key encryption, Information Security and Privacy – ACISP 2003, Lecture Notes in Comput. Sci. 2727, Springer, Berlin (2003), 387–401. 10.1007/3-540-45067-X_33Search in Google Scholar
 R. Steinfeld and Y. Zheng, A signcryption scheme based on integer factorization, Information Security – ISW 2000, Lecture Notes in Comput. Sci. 1975, Springer, Berlin (2000), 308–322. 10.1007/3-540-44456-4_23Search in Google Scholar
 C. H. Tan, Signcryption scheme in multi-user setting without random oracles, Advances in Information and Computer Security – IWSEC 2008, Lecture Notes in Comput. Sci. 5312, Springer, Berlin (2008), 64–82. 10.1007/978-3-540-89598-5_5Search in Google Scholar
 Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption)<<cost(signature) + cost(encryption), Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 165–179. 10.1007/BFb0052234Search in Google Scholar
 SHA3 Hash function competition, 2007; http://csrc.nist.gov/groups/ST/hash/sha-3/index.html, last visited 02-Jan-2017. Search in Google Scholar
© 2019 Walter de Gruyter GmbH, Berlin/Boston
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.