# Signcryption schemes with insider security in an ideal permutation model

Tarun Kumar Bansal , Xavier Boyen and Josef Pieprzyk

# Abstract

Signcryption aims to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The “Commit-then-Sign & Encrypt” (CtS&E) method allows to perform encryption and signing in parallel. Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt messages. CtS&E uses weaker cryptographic primitives in a generic way to achieve a strong security notion of signcryption. Various message pre-processing schemes, also known as message padding, have been used in signcryption as a commitment scheme in CtS&E. Due to its elegance and versatility, the sponge structure turns out to be a useful tool for designing new padding schemes such as SpAEP [T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015, Lecture Notes in Comput. Sci. 9144, Springer, Berlin 2015, 93–106], while offering further avenues for optimization and parallelism in the context of signcryption. In this work, we design a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure. Unlike other existing schemes, the proposed scheme also supports arbitrarily long messages. We prove the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature. With a careful analysis and simple tweaks, we demonstrate how different combinations of weakly secure probabilistic and deterministic encryption and signature schemes can be used to construct a strongly secure signcryption scheme, further broadening the choices of underlying primitives to cover essentially any combination thereof. To the best of our knowledge, this is the first signcryption scheme based on the sponge structure that also offers strong security using weakly secure underlying asymmetric primitives, even deterministic ones, along with the ability to handle long messages, efficiently.

MSC 2010: 94A60; 68P25

## 1 Introduction

The aim of signcryption is to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The reduction of the computational cost makes signcryption more practical and it is a preferred option for e-commerce and e-mail applications, where both confidentiality and authentication are required. Zheng [38] introduced the signcryption notion in 1997. He proposes a signcryption solution that is based on the El-Gamal [25] encryption and signature, leaving the design of generic signcryption schemes as an open problem, which has since then received considerable attention.

The study of generic compositions of encryption and signature has been initiated by An, Dodis and Rabin [2]. They considered different methods for designing signcryption through a black-box composition of secure signature and public-key encryption. In particular, they showed that both “encrypt-then-sign” (EtS) and “sign-then-encrypt” (StE) lead to secure signcryption schemes. However, the parallel signcryption approach “sign-and-encrypt” (S&E) composition does not provide privacy since the signature may reveal information about the encrypted messages. They introduced an alternative generic method termed “commit-then-sign-and-encrypt” (CtS&E) that provides some security guarantee for S&E. Note that CtS&E compositions lead to parallel signcryption.

An, Dodis and Rabin [2] also define two types of security for signcryption, namely, outsider and insider security. The outsider security deals with an external adversary who knows the public keys of a sender and a receiver. The insider security model attacks are coming from the other party that participates in the communication. In other words, an insider adversary is either the sender who wants to compromise receiver confidentiality or the receiver who tries to defeat sender unforgeability. Since security against an insider adversary implies security against an outsider adversary, the former is preferred.

A different security model for signcryption, which has been adopted in a few early papers [2, 20], is the two-user setting. In this model, a single sender interacts with a single receiver. However, as pointed out by Dent [20], security in the two-user model does not imply security in the multi-user model, in which either several senders communicate with the same receiver or, alternatively, several receivers obtain messages from a single sender. Hence, to ensure a realistic security concept, a multi-user security model must be adopted. The strongest security definitions, which captures both insider confidentiality and unforgeability for the multi-user setting, have been defined in [29]. For an overview of different security models, see [31, 21]. A recent paper by Badertsche, Banfi and Maurer [3] also supports the need for an insider secure multi-user model for signcryption.

### 1.1 Background

In 2002, An, Dodis and Rabin [2] presented a methodology for parallel encryption and signing. A plaintext m is first transformed into a pair (c,d), where c is a commitment and d is a de-commitment. The value c reveals no information about m, while the pair (c,d) allows to recover m. Once the transformation m(c,d) is done, the sender signs c and encrypts d in parallel using appropriate encryption and signature algorithms. On the receiver side, the signature on c is verified and d is recovered from its ciphertext. Both operations are executed in parallel. Finally, the plaintext m is reconstructed from (c,d). Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt a message. It is equal to the maximum of either the time required to encrypt or the time needed to sign. Minimum security requirements required from underlying encryption and signature algorithms are also discussed. In the two-user model, An, Dodis and Rabin [2] claim that to provide a generic chosen-ciphertext (IND-gCCA) secure and existentially unforgeable (UF-CMA) signcryption, it is enough to use any IND-CCA secure encryption, UF-CMA secure signature and a secure commitment under the CtS&E composition. The IND-gCCA security is weaker than IND-CCA.

The work by An, Dodis and Rabin [2] has instigated investigation into new ways to define signcryption in more generic ways. Note that early works present signcryption whose security depends on intractable problems such as discrete logarithm [38] and integer factoring [36, 30]. The authors of earlier works left an open question of designing signcryption under weaker security assumptions for encryption and signature schemes that do not relate to any specific intractability assumption. For example, the generic trapdoor one-wayness (OW) assumption is satisfied by the RSA encryption (when integer factorization is intractable) and the ElGamal encryption (when the computational Diffie–Hellman (CDH) problem is intractable). In this paper, we consider cryptographic primitives (encryption and signature), whose security assumptions are generic.

Parallel signcryption is further investigated by Pieprzyk and Pointcheval [33]. They proposed to use a (2,2)-Shamir secret sharing (SSS) as a commitment scheme. A plaintext m is first split into two shares (s1,s2), where any single share reveals no information about m. The first share s1 is used as a commitment and signed, while the second s2 is encrypted. The authors of [33] proposed two version of their scheme. The first version, called generic parallel signcryption, provides IND-CCA and UF-CMA security for signcryption using any IND-CCA secure encryption and UF-CMA secure signature. This result is the same as the one obtained in [2]. The second version, called optimal parallel signcryption, applies an asymmetric padding OAEP [7] as commitment scheme. This signcryption algorithm provides both IND-CCA and UF-CMA security in the random oracle (RO) model assuming any deterministic OW encryption (such as basic RSA) and any weakly secure deterministic signature (non-universally forgeable). The authors discuss the security of their schemes for the insider security model in a multi-user setting [34].

Dodis et al. [23, 22] propose a different approach to perform parallel signcryption. In their approach, they use a Feistel probabilistic padding, which can be viewed as a generalization of other existing probabilistic paddings such as OAEP [7], OAEP+ [35], PSS-R [8], etc. The authors argue that their signcryption provides IND-CCA and strong existential unforgeability (sUF-CMA) security assuming trapdoor one-way permutations only.

Hybrid signcryption is an attractive approach in the design of signcryption schemes. It follows the idea of hybrid encryption discussed in many works [17, 18, 28, 27, 15, 1, 5, 24]. Hybrid encryption consists of an asymmetric key encapsulation mechanism (KEM) and a symmetric data encapsulation mechanism (DEM). The first formal treatment of security of signcryption has been done by Dent [19, 20]. Some other related works are [14, 37, 31, 16]. Converting a hybrid encryption scheme to hybrid signcryption turns out to be much trickier than it looks. The main difficulty is an increase in complexity of analysis that results from a more complex adversarial model. It is necessary to consider not only straightforward attacks against authenticity and confidentiality of messages but also more intricate issues such as distinction between outsider and insider attacks. Moreover, CtS&E-type compositions are always preferred as a base for constructing secure KEMs.

### 1.2 Limitation of existing schemes

A majority of signcryption schemes follow the sequential designs StE or EtS. Note that all schemes for hybrid signcryption with KEM/DEM [19, 20, 14, 16] follow the sequential design. The sequential design limits the efficiency of signcryption. This limitation can be lifted by using the CtS&E composition, which performs encryption and signing in parallel and independently from each other. Many signcryption schemes are built using some specific intractability assumptions (for example, intractability of discrete logarithm [38, 4, 29]). These constructions are not generic as the assumptions limit the choice of underlying encryption and signature schemes. Constructions for hybrid signcryption are generic, but they require stronger security properties from key and data encapsulation mechanisms. For example, a recent generic hybrid signcryption scheme given by Chiba et al. [16] requires an IND-CCA secure KEM, a one-time secure symmetric-key encryption, a one-time secure message authentication code and a strong existentially unforgeable signature scheme. These requirements are much stronger than those needed in already available non-hybrid schemes [33].

To the best of our knowledge, there is no hybrid signcryption that claims IND-CCA security and existential unforgeability using weak security properties like one-wayness and universal unforgeability. Most of the signcryption schemes require existential unforgeability for the underlying signature scheme, which is a stronger assumption than universal unforgeability. A common method used to build CtS&E-type scheme [33, 30, 22, 34] is an OAEP-type padding. The padding gives rise to some common limitations such as: (1) it restricts message space, (2) it works with deterministic one-way encryption and deterministic signature only and (3) it provides security in the random oracle (RO) model. Unavailability of different types of padding schemes limits the extension of work for the CtS&E composition. Table 1 gives a brief summary of generic signcryption schemes based on CtS&E.

### Table 1

Generic signcryption schemes based on CtS&E-type composition, where IND stands for indistinguishability, OW for one-wayness, CPA/CMA for chosen plaintext/message attack, CCA for chosen ciphertext attack, UF for existential unforgeability, uUF for universal unforgeability, suUF for strong uUF, RMA for random message attack, gCCA for generic CCA, OW-CPA for trapdoor one-way permutation and OW-PCA for one-wayness under plaintext-checking attack.

 Schemes Model Encryption Signature Message length # of other functions Signcryption An, Dodis and Rabin No specific IND-CCA UF-CMA Restricted Commitment scheme IND-gCCA/UF-CMA Pieprzyk and Pointcheval Random oracle OW-CPA suUF-RMA Restricted 3 hash, 1 secret share scheme IND-CCA/sUF-CMA Dodis et al. Random oracle OW-CPA sUF-CMA Restricted 1 hash, 1 commitment scheme IND-CCA/sUF-CMA Unrestricted 1 hash, 1 commitment scheme, symmetric encryption Our result Ideal permutation OW-CPA suUF-RMA Unrestricted 1 SpongeWrap, 1 sponge function (≊ 2 hash) IND-CCA/sUF-CMA OW-PCA uUF-RMA IND-CCA/UF-CMA

### 1.3 Motivation

A randomized padding, like OAEP, is a powerful tool, which converts weakly secure fixed trapdoor one-way functions into public-key encryption that is secure against strong adaptive chosen ciphertext attacks. The padding has been used in signcryption as a part of the commitment scheme in the CtS&E composition. It is known that CtS&E allows the use of weak cryptographic primitives in a generic way to achieve a strong security of signcryption. A good example of such composition is the results by Pieprzyk and Pointcheval [33, 34], which integrate any one-way encryption system (such as the basic RSA) with a weakly secure signature (non-universally forgeable signatures) into a strong chosen-ciphertext secure and existentially unforgeable signcryption in the RO model. The limitation of functionality, like message space restriction or type of encryption scheme, is inherited from the commitment or padding scheme used.

Recently, motivated by the OAEP design, Bansal, Chang and Sanadhya [6] proposed another type of padding called SpAEP. SpAEP is based on the sponge permutation structure, where permutation is considered as an ideal permutation, and the resulting sponge has no restriction on maximum message space. Unlike KEM-DEM, the SpAEP padding provides a pathway to combine symmetric and asymmetric primitives without a strict delineation. In brief, SpAEP uses a versatile sponge function and SpongeWrap [26, 11, 12] in pipelined fashion, and a portion of its output is used as input to the asymmetric encryption. The padding provides similar security guarantees as OAEP, but it is more efficient. The SpAEP padding can be used with trapdoor one-way permutations only. The sponge-based padding SpAEP [6] is versatile and has been used in a different security model for asymmetric encryption based on an ideal permutation. The padding scheme supports arbitrarily long messages, uses small domain permutations and applies “on the fly” encryption. Its running time is equivalent to a hash function.

Motivated by versatility of the sponge-based padding and by amplification of security properties (as demonstrated in [33, 34]), we would like to develop a generic signcryption scheme that is secure in the ideal permutation model. We intend to use weak asymmetric primitives such as trapdoor one-way encryption and universal unforgeable signature. The scheme is designed to support arbitrarily long messages. Experimental comparisons of the proposed scheme with existing generic signcryption schemes based on implementation is beyond the scope of this paper. However, a structural comparative analysis is provided in the next section.

### 1.4 Structural comparison

Generally, runtime performance of any signcryption is determined by processing time of asymmetric primitives, irrespective of underlying message-padding scheme, except perhaps for very long plaintexts (which many existing signcryption schemes do not even support). Therefore, structural efficiency improvement plays a secondary role in overall performance of signcryption, with the primary role being played by the ability to use weaker and faster asymmetric components. Nevertheless, simple and feature-rich message padding is always required to widen the applicability and usability of signcryption.

The proposed scheme uses only one SpongeWrap function and one sponge function. From the efficiency point of view, the proposed scheme is optimal since only a single call of SpongeWrap ( one hash function) is required before parallel encryption and signature. One call to the sponge function is required after asymmetric encryption for a small amount of data. The reverse process features the same kind of optimality. Similar optimality remains while processing arbitrarily long messages. Moreover, the entire message padding scheme is based on the iterative structure of a single forward permutation, which also saves implementation effort.

When compared to other generic schemes, Pieprzyk and Pointcheval [33] use a hash function, a secret sharing and OAEP (2 hash functions). A similar overhead is seen in the construction proposed by Dodis et al. [23, 22]. A simple practical generic signcryption scheme is proposed by Dodis et al. [23, 22]. The authors proposed a padding scheme called P-pad, which is equivalent to OAEP+ [35]. A detailed comparison of OAEP+ and sponge-based padding (SpAEP) is provided by Bansal, Chang and Sanadhya [6], which shows sponge-based padding schemes are more efficient and practical compared to OAEP-type padding schemes. In case of arbitrarily long messages, the scheme of Dodis et al. [23, 22] requires an additional symmetric encryption unlike our proposed scheme. These additional requirements of different functions with different input-output settings increase the implementation effort. Therefore, overall, our proposed scheme provides a simple, better and feature-rich message padding scheme for construction of generic signcryption scheme.

### 1.5 Contributions

In this paper, we make the following contributions.

1. (i)

We present a signcryption scheme in the ideal permutation model using sponge structure. First we propose signcryption for messages of a fixed length. Then we show how to extend it for arbitrarily long messages. With careful analysis, we demonstrate how different combinations of weakly secure probabilistic/deterministic encryption and signature schemes can be used to build strongly secure generic signcryption. To the best of our knowledge, this is the first sponge-based signcryption. We also believe that the proposed signcryption is the first scheme, which allows different combination of weakly secure encryption and signature schemes to yield strongly secure signcryption that supports arbitrarily long messages.

2. (ii)

The demands on component security are merely one-wayness for encryption and universal unforgeability for signature. These minimum security requirements are sufficient to achieve indistinguishability and existential unforgeability security against adaptive attacks. Such weak requirements were only fulfilled in [33, 34], but the scope of [33, 34] is limited to fixed message space and deterministic encryption and signatures.

3. (iii)

Apart from encryption and signature primitives, our scheme requires an ideal permutation only. The iterative permutation model we use is based on the well-known iterative sponge structure. Note that, after the success of KECCAK [13] in the SHA-3 competition [39], the sponge structure is becoming more and more popular and can serve as a “Swiss army knife” in cryptography.

4. (iv)

Flexibility of the sponge-based padding allows to scale the system from relatively short messages to long ones while preserving security properties. Besides, the complexity of the security analysis does not increase. Note that some extra redundant data is used in the proposed sponge padding that plays an important role in supporting long messages.

The sponge structure used for message padding resembles the padding proposed in [6] but differs in two aspects. First, some extra redundant data is used to allow the usage of sponge padding with a signature to provide both unforgeability and confidentiality. Second, while the padding in [6] applies for deterministic asymmetric encryption only, here we extend the sponge padding, so it also works with probabilistic asymmetric primitives.

Some properties are naturally inherited from the sponge structure. Signcryption offers an “on the fly” computation property during the signcryption and unsigncryption processes. An implementation does not need to use the inverse permutation, which saves implementation effort and memory.

#### Streaming

Our signcryption strategy enables unbuffered “on the fly” data processing (a.k.a. “streaming”, “online”, “single-pass” operation) during both the signcryption and unsigncryption processes. This is of significant interest when handling large messages, and one of the differentiating features of our scheme. For the avoidance of doubt, we note that single-pass unsigncryption necessarily requires that the recipient be able to discard an already decrypted stream that ends up failing authentication, with no persistent side-effect, for IND-CCA security. This operational limitation only applies to unsigncryption.

## 2 Preliminaries

### 2.2 Public-key encryption

#### Description

A public-key encryption scheme Encrypt is defined by the following three algorithms:

1. the key generation algorithm 𝖦𝖾𝗇𝖤𝗇𝖼(1k) that produces a pair (pk,sk) of public and private keys on input 1k, where k is the security parameter,

2. the encryption algorithm 𝖤𝗇𝖼pk(m;g)=c that outputs a ciphertext c for a message m and a public key pk using random coins g𝙲𝙾𝙸𝙽𝚂 (the message and coin spaces and 𝙲𝙾𝙸𝙽𝚂 are uniquely determined by pk),

3. the decryption algorithm 𝖣𝖾𝖼sk(c) that recovers a message m from a ciphertext c using a secret key sk.

We require that an asymmetric encryption scheme should satisfy the following correctness condition. For all k, for all (pk,sk) generated by 𝖦𝖾𝗇𝖤𝗇𝖼(1k) and every m and g𝙲𝙾𝙸𝙽𝚂, we always have 𝖣𝖾𝖼sk(𝖤𝗇𝖼pk(m;g))=m. We denote as a minimum input size and +𝚌𝚘pe as output size of Enc, where 𝚌𝚘pe is ciphertext overhead of Enc. The length of g𝙲𝙾𝙸𝙽𝚂 is denoted by λ, where λk. Enc is a deterministic encryption (trapdoor one-way permutation) if it does not require g𝙲𝙾𝙸𝙽𝚂 and 𝚌𝚘pe=0. If Enc depends upon g𝙲𝙾𝙸𝙽𝚂 and 𝚌𝚘pe>0, then Enc is a probabilistic encryption (trapdoor one-way function).

#### Security notions

The simplest security notion for public-key encryption is one-wayness (OW). This is to say that an adversary 𝒞 cannot recover a plaintext m knowing a ciphertext c and a public key. We denote the maximum probability of success that an adversary can invert the encryption of a random plaintext m in time t by Succ𝒞,EncryptOW. OW is a minimal security requirement for public-key encryption. A variant of one-wayness is OW-PCA, which has been introduced in [32] for probabilistic encryption. For this notion, an adversary can additionally access a plaintext checking oracle (𝒪PC). The oracle 𝒪PC outputs 1 if a given (m,c) pair is a valid message/ciphertext pair for Encrypt; otherwise, it returns 0. As shown in [32], the ElGamal [25] encryption achieves OW-PCA under the GDH assumption. Clearly, for deterministic encryption, the OW and OW-PCA notions are the same.

A stronger security notion has also been defined. It is the so-called semantic security (a.k.a. indistinguishability of encryptions, IND). This is to say that a ciphertext should not leak any information about the encrypted message. More formally, knowing that a ciphertext is an encryption of one of two known messages, an adversary cannot guess the message with a non-negligible advantage. An adversary is seen as a 2-stage Turing machine (𝒜1,𝒜2), and the advantage AdvEncryptIND(𝒜) is negligible for any adversary, where

An adversary can try many different attacks. Knowing a public key, the adversary can encrypt any plaintext of its choice. This scenario is called the chosen-plaintext attack and denoted by CPA. Other attacks allow the adversary a restricted or unrestricted access to various oracles. The strongest attack allows the adversary to query the decryption oracle, which can be accessed adaptively in the chosen-ciphertext scenario (denoted as CCA). There is a restriction for queries – any query to the oracle should be different from the challenge ciphertext.

### 2.3 Signatures

#### Description

A digital signature Sign consist of the following three algorithms:

1. GenSign, the key generation algorithm, which, for a security parameter k, outputs a pair (pk,sk) of public and private keys,

2. Sign, the signing algorithm, which takes a message M and the secret key sk and outputs a signature σ=𝖲𝗂𝗀𝗇sk(M),

3. Ver, the verification algorithm, which accepts a signature σ, a message M and a public key pk and returns a binary answer 𝖵𝖾𝗋pk(σ,M) (valid or invalid ).

We assume that the signing algorithm takes an input of maximum sg bits and that it generates a signature of length σ.

#### Security notions

An adversary attempts to forge a signature. The probability of achieving this is assessed via the following game between a probabilistic polynomial time (PPT) adversary and a challenger.

1. (i)

The challenger generates a key pair (sk,pk)𝖦𝖾𝗇𝖲𝗂𝗀𝗇(1k).

2. (ii)

The adversary runs 𝒜𝒪(1k,pk). They have access to an oracle 𝒪 (which will be described below). The adversary terminates by outputting a message m* and its signature σ*.

In terms of resources, there are two types of attacks. The type of attack specifies the power that the adversary has in the attack.

1. In a no-message attack (NMA), the oracle gives no response. This is equivalent to an attack model in which the adversary does not have access to the oracle 𝒪. The adversary knows only the public key pk of the signer.

2. In the second, a known-message attack, the adversary has access to a signature oracle providing a list of valid message/signature pairs in addition to knowledge of the public key of the signer. If this list contains random and uniformly chosen messages, then the attack is termed a random-message attack (RMA). If this list contains messages chosen by an adversary, the attack is termed a chosen-message attack (CMA). A chosen-message attack seeks to emulate the normal mode of use of a signature scheme, in which an adversary can observe signatures produced by a legitimate party, perhaps in some adversarial chosen way.

There are two ways, in which we can assess whether the adversary succeeds in forging a signature.

1. Existential unforgeability (UF) – the adversary wins if it outputs a pair (m*,σ*), where 𝖵𝖾𝗋pk(m*,σ*)= and the adversary never queried the signature oracle with the message m*.

2. Strong existential unforgeability (sUF) – the adversary wins if it outputs a pair (m*,σ*), where the same conditions as for UF hold and, additionally, the adversary never received the response σ*.

In case of a finite message space , we may consider a weaker security notion. For the success criteria, we may ask the adversary to produce a forged signature for a randomly chosen message m*$. This leads us to a new game played by a probabilistic and polynomial-time adversary. 1. (i) The challenger generates a key pair (sk,pk)𝖦𝖾𝗇𝖲𝗂𝗀𝗇(1k) and a message m*$.

2. (ii)

We may define two success criteria for this security game.

1. In the universal unforgeability (uUF) game, the adversary wins if 𝖵𝖾𝗋(pk,m*,σ*)= and the adversary never queried the signature oracle with the message m*.

2. In the strong universal unforgeability (suUF) game, the adversary wins if 𝖵𝖾𝗋(pk,m*,σ*)= and the adversary never queried the signature oracle with the message m* nor received the response σ*.

We say a signature is deterministic if signing a message multiple times results in the same signature. We say a signature is probabilistic if signing a message twice results in different signatures with overwhelming probability.

### 2.4 Signcryption: Joint encryption and signing

#### Description

A signcryption scheme SignCrypt is defined by the following three algorithms:

1. Gen, the key generation algorithm, which outputs a pair of keys (SDK,VEK) for a security parameter k, where SDK is the user’s sign/decrypt key, which is kept secret, and VEK is the user’s verify/encrypt key, which is made public,

2. SignEnc, the encryption and signing algorithm, which, for a message M, the public key of the receiver VEKR and the private key of the sender SDKS, produces a signed ciphertext Y=𝖲𝗂𝗀𝗇𝖤𝗇𝖼SDKS,VEKR(M),

3. VerDec, the decryption and verifying algorithm, which, for signed ciphertext Y, the private key SDKR of the receiver and the public key VEKS of the sender, recovers the message M=𝖵𝖾𝗋𝖣𝖾𝖼SDKR,VEKS(Y). If this algorithm fails either to recover the message or to verify its authenticity, it returns .

#### Security notions

We can combine classical security notions of signature and encryption to form a security notion of signcryption under adaptive attacks. Given access to public information PUB=(VEKS,VEKR) and oracle access to the functionalities of both sender S and receiver R, the adversary attempts to break

1. (i)

authenticity (UF): coming up with a valid signed ciphertext of a new message, and thus provide an “existential forgery”,

2. (ii)

privacy (IND): breaking the “indistinguishability” of signed ciphertexts.

In the security analysis, the adversary may be one of S or R. So S may want to break the privacy, or R may want to break authenticity. If signcryption prevents existential forgeries and guarantees indistinguishability in the above attack scenarios (with chosen-message attacks CMA, or adaptive attacks AdA), we say the scheme is secure.

#### Definition 2.1.

A signcryption scheme is secure if it achieves IND/UF under adaptive attacks.

### Description

Sponge-based padding consist two functions: SpWrap and Sponge. SpWrap and Sponge take some of their length parameters from Encrypt and Sign used in SIGNCRYPT.

### SpWrap

This function is based on an iterated ideal permutation π:{0,1}(b=r+c){0,1}b with an initial value IV. It is a tuple of two algorithm SpWrap.Enc() and SpWrap.Dec().

On an input message M from message space Msg{0,1}*, SpWrap.Enc() gives the output CT using a random K from the keyspace Key{0,1}k. SpWrap.Enc() takes the input message M, IV=IV1IV2, K and some length parameters like k,r,sg. The output of SpWrap.Enc() is CT, where |C|>|M| and |T|=k. SpWrap.Dec() takes a ciphertext CT, IV=IV1IV2, K and some length parameters like k,r,sg as input. The output of SpWrap.Dec() is M or .

SpWrap uses a structure similar to SpongeWrap [11], but its message padding is a little more specific than the general injective reversible padding used in SpongeWrap. After applying injective reversible padding to the input message, which is required for smooth functioning of the sponge structure, we specifically add a 0r-bit block before the specific length sg. This addition of an extra block is required during parallel signcryption to prevent some trivial forgery attack, which we will discuss later during the proof.

### Figure 1

𝑆𝑝𝑊𝑟𝑎𝑝π, or simply SpWrap, and Sponge function.

### Sponge

This function works exactly like the sponge function in [26]. Sponge has fixed b-bit initial value IV, which is different from the IV of SpWrap. In Sponge, we take IV=IV1IV3, where IV3=IV21. Sponge takes J{0,1}* as input and outputs the k-bit tag value h. We define the Sponge function based on π as follows:

### Properties

One useful property of SpWrap is its bijection. Considering a fixed IV for SpWrap, each query to SpWrap.Enc() has a fixed chain of internal variables because of the permutation π. Therefore, every query will have its unique set of state values. No two different queries can have a similar whole set of state bits. The first point of difference between two queries will create diversion in the set values because of the permutation π.

## 4 Parallel signcryption: SIGNCRYPT

In this section, we describe our proposal of parallel signcryption using sponge-based padding. To keep this scheme simple, we start with a restricted message space and a deterministic signature scheme. We remove these conditions in Section 5.

### 4.1 Description

Building blocks of parallel signcryption SIGNCRYPT are

1. an encryption scheme Encrypt=(𝖦𝖾𝗇𝖤𝗇𝖼,𝖤𝗇𝖼,𝖣𝖾𝖼),

2. a signature scheme Sign=(𝖦𝖾𝗇𝖲𝗂𝗀,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋),

3. a permutation π:{0,1}(b=r+c){0,1}b (assumed to behave like an ideal permutation),

4. for k-bit security of parallel signcryption, π having sufficient r>c>k such that it should provide at least k-bit security,

5. assuming =n*r and sg=m*r for some positive integers n,m>0,

6. a public function ID, which maps the public key of any user A to a unique r-k2-bit string in a compatible string format as IDA, the communicating parties are denoted as sender S and receiver R,

7. the length of a message M is +sg-2(k+1).

### Algorithm (Key generation: 𝖦𝖾𝗇⁢(1k)=𝖦𝖾𝗇𝖲𝗂𝗀×𝖦𝖾𝗇𝖤𝗇𝖼⁢(1k)).

Sender S generates (sksig,pksig)𝖦𝖾𝗇𝖲𝗂𝗀S(1k) and receiver R generates (skenc,pkenc)𝖦𝖾𝗇𝖤𝗇𝖼R(1k). The sender keys are (skS,pkS)=(sksig,pksig), and the receiver keys are (skR,pkR)=(skenc,pkenc). Accordingly, SDK=(skS,skR) and VEK=(pkS,pkR). Using the function ID, the unique identities of sender S and receiver R will be IDS and IDR, respectively.

### Algorithm (Encrypt and sign: 𝖲𝗂𝗀𝗇𝖤𝗇𝖼SDKS,VEKR⁢(M)).

1. (1)

Compute CT=SpWrap.Enc(K,M,IV1IV2,r,k,sg), where IV1=IDSIDR, IV2=0c, K${0,1}k, |K|=k and r is the input rate of π. 2. (2) Parse CT into S1S2T, i.e., CT=S1S2T, where |S1|=, |S2|=sg. 3. (3) Calculate (in parallel) Y1=𝖤𝗇𝖼pkR(S1), σ=𝖲𝗂𝗀𝗇skS(S2). 4. (4) Calculate Kh=K𝑆𝑝𝑜𝑛𝑔𝑒(S1Y1), Tk=TK. 5. (5) The final output (Kh,Y1,Y2=(S2,σ),Tk) is sent to the receiver R. ### Figure 2 Signcryption scheme SIGNCRYPT. ### Algorithm (Decrypt and verify: 𝖵𝖾𝗋𝖣𝖾𝖼SDKR,VEKS⁢(Kh,Y1,Y2,Tk)). 1. (1) Calculate (in parallel) S1=𝖣𝖾𝖼skR(Y1), /=𝖵𝖾𝗋pkS(Y2=(S2,σ)). Ver returns either valid, , or if the signature is invalid. In case of returning , the decryption and verify algorithm VerDec returns and stops. 2. (2) If Ver returns , then calculate K=Kh𝑆𝑝𝑜𝑛𝑔𝑒(S1Y1) and T=TkK. 3. (3) Set C=CfCe=S1S2, and set IV1=IDSIDR, IV2=0c. 4. (4) Compute M=SpWrap.Dec(KCT,IV1IV2,r,k,sg). Return M=M if M; else return . ### 4.2 Security of parallel signcryption Security of signcryption has two facets, namely, IND-CCA security and unforgeability under adaptive chosen message attack (UF-AdA). Before proceeding to the details of our proofs of each part individually, we provide a bird’s eye view of each proof. ### Theorem 4.1. If the encryption scheme is OW-PCA and the signature scheme is deterministic uUF-RMA, then the parallel signcryption scheme described in Section 4.1 is IND/UF-AdA secure. #### Unforgeability The following lemma can be derived from Theorem 4.1. #### Lemma 4.2. If there exists an adversary A against the UF-AdA security of the parallel signcryption scheme with advantage AdvSignEncUF-AdA(k) (whose running time is bounded by t and who makes at most qπA queries to the permutation π:{0,1}b=r+c{0,1}b and qsc queries to the signcryption oracle and qusc queries to the unsigncryption oracle), then there exists an adversary B against the uUF-RMA security of the signature scheme with advantage AdvSignuUF-RMA(k) (whose running time is bounded by tt+qsc(τ+O(1)), where τ denotes the maximal running time of the encryption and signing algorithm) for which Adv𝖲𝗂𝗀𝗇𝖤𝗇𝖼UF-AdA(k)AdvSignuUF-RMA(k)+(qπ-1)qπ2b+1+qπ(qπ+1)2c+qscqπ𝒜2k+qusc2k+qsc2r, where qπ is total number of π queries, including the queries by adversary, signcryption and unsigncryption oracles. #### Proof sketch. We are dealing with the insider security model; the adversary has a target sender IDS* in mind and it knows the sender’s public key pkS*. The adversary has access to the signcryption oracle under skS*. In the multi-user setting, many receivers with different IDs are taken into consideration. We make the subsequent changes in the permutation π such that π gives a permutation response for each new query but r bits out of the b-bit output are random. Likewise, c bits out of the b bit output are always different for new input. The bound of these changes will be (qπ-1)qπ2b+1+qπ(qπ+1)2c, where qπ is the number of total queries on π. In an abstract way, this bound includes collision over the b-bit and c-bit outputs of π. We start making changes in the SignEnc oracle. We try to make the output of the SignEnc oracle random by using a random output of π. We use the message/signature pair list Signlist having qH elements, where messages are chosen at random and signatures are calculated based on skS*. Because we are working in the multi-user security model, SignEnc accepts different receiver’s IDs along with M. Finally, SignEnc can respond with random output using a pre-computed Signlist, likewise independent of 𝖲𝗂𝗀𝗇skS*. The bound of changing the original response with a random response comes out to be qscqπ𝒜2k. This bound captures the probability of guessing the randomness K used during the number of signcryption queries qsc. We modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to the universal forgery on Ver. Whenever we discuss a forgery, we consider IDR=IDR* in VerDec given by an adversary with target sign-ciphertext y* and related pkR* and skR* for target sender IDS*. For detecting a valid forgery, we cross-check the set Ivd consisting of the input/output of π during unsigncryption against a set Iπ𝒜 and Iπsc consist of the input/output of π maintained by the adversary and the signcryption oracle, respectively. Let qusc be the number of unsigncryption queries, and let qsc be the number of signcryption queries. We show that if IvdIπsc, then this is not an existential forgery. We show that if (IvdIπscandIvdIπ𝒜) or IvdIπ𝒜, then the probability of having an existential forgery is negligible. The bound for these changes comes out to be qusc2k+qsc2r+AdvSignuUF-RMA(k). This bound captures the probability of producing a target collision on T or a target collision on the input of Ver or creating a signature on random input of Sign. During the unforgeability proof, it is natural to assume that the encryption scheme is following trapdoor one-wayness and its correctness condition. For a detailed proof, see Appendix A. We can have the following corollaries from the proof of Lemma 4.2, which are also summarized in Table 2. #### Corollary 4.3. If the encryption scheme follows OW-PCA and the signature scheme is uUF-RMA, then the parallel signcryption scheme is UF-AdA. Corollary 4.3 is a direct implication of Lemma 4.2. This corollary includes both probabilistic and deterministic signature schemes and also encryption schemes. Corollary 4.4 is a sub-class result of Corollary 4.3, where the deterministic signature scheme follows UF-AdA (or sUF-AdA). This corollary serves as a bridge for our next corollary, Corollary 4.5. #### Corollary 4.4. If the encryption scheme follows OW-PCA, and the signature scheme is suUF-RMA, then the parallel signcryption scheme is UF-AdA. #### Corollary 4.5. If the encryption scheme is deterministic and follows one-wayness, and the signature scheme is suUF-RMA, then the parallel signcryption scheme is sUF-AdA. Corollaries 4.4 and 4.5 have a difference in achieved security because of the probabilistic and deterministic nature of the encryption scheme. This is mainly because the encryption scheme that follows OW-PCA includes some probabilistic asymmetric encryption schemes, which have a re-randomization problem. In re-randomization, for the same input to an asymmetric primitive, a different output value could be generated. In such a case and because of the insider security model, an adversary attacking the unforgeability of SIGNCRYPT can produce a different sign-ciphertext for the same input message, which is queried earlier. For example, for a query M,IDR, the output is Kh,Y1,Y2,Tk for some K. Using insider knowledge and the probabilistic nature of asymmetric encryption, a new, valid output could be Kh,Y1,Y2,Tk for the same K and M,IDR. Such a valid pair is allowed as part of forgery in sUF, but not in UF. Therefore, in Corollary 4.4, Sign follows suUF-RMA, but overall SIGNCRYPT follows only UF-AdA. If the encryption scheme is deterministic, then the above attack is not valid, and SIGNCRYPT can benefit from suUF-RMA. A summary of the above discussed corollary is shown in Table 2. ### Table 2 Unforgeability of SIGNCRYPT under different assumptions on Sign and Encrypt.  Sign Encrypt uUF-RMA suUF-RMA Deterministic OW-CPA UF-AdA sUF-AdA Probabilistic OW-PCA UF-AdA UF-AdA #### Privacy The following lemma can be derived from Theorem 4.1. #### Lemma 4.6. Consider an adversary A against the IND-CCA security of the parallel signcryption scheme with advantage AdvSIGNCRYPTIND-CCA(k) whose running time is bounded by t and which makes at most qπ queries to the permutation π:{0,1}b=r+c{0,1}b oracle and qusc queries to the unsigncryption oracle. Then there exists an adversary B against the OW-PCA security of the public-key encryption scheme with advantage AdvEncryptOW-PCA(k) and whose running time is bounded by tt+qusc(τ+O(1)), where τ denotes the maximal running time of the decryption and verification algorithms, for which AdvSIGNCRYPTIND-CCA(k)AdvEncryptOW-PCA(k)+(qπ-1)qπ2b+1+qπ(qπ+1)2c+qusc2k+qπ𝒜2k, where qπ is the total number of π queries, including queries by the adversary (qπA), signcryption and unsigncryption oracles, and λ=k. #### Proof sketch. We are dealing with the insider security model in the multi-user setting; the adversary has a target receiver IDR* in mind. The adversary knows the receiver’s public key pkR and has access to the VerDec oracle under skR. Further, we assume that an adversary 𝒜 observed qusc queries to the VerDec oracle. Adversary 𝒜1 has also chosen a pair of messages M0 and M1 and a key pair (skS*,pkS*) for IDS*. It receives a ciphertext (y1*,y2*,y3*) under (skS*,pkR*) of either M0 or M1. The unknown message is denoted by Md, where d is the bit that adversary 𝒜2 wishes to find out. We make the subsequent changes in the permutation π such that π gives a permutation response for each new query, but r bits out of the b-bit output are random. Likewise, c bits out of the b-bit output are always different for new input. This part remains the same as for unforgeability. We modify the unsigncryption oracle such that it nullifies those queries to the unsigncryption oracle about which the adversary does not know an answer in advance with the help of the π query and which can be simulated without using the private key of the receiver skR*. If IπvdIπ𝒜, then the probability that the adversary can get an answer from the unsigncryption oracle is bounded by qusc2k, which includes target collision on T for the number of unsigncryption queries qusc. Unlike unforgeability, the adversary is allowed to generate a valid signcryptext, but only those will be valid about which the adversary already knows the answer. We modify the signcryption oracle using the random response of π. This will lead to simulating the signcryption oracle returning a random response. This change will be bounded by the probability of guessing the randomness K used by an adversary or the advantage of an OW-PCA adversary breaking the one-wayness (OW). The privacy proof of the scheme depends upon the probabilistic or deterministic nature of the underlying signature scheme. During the proof, we assume that the signature scheme is deterministic and follows the correctness condition. In subsequent sections, we show how we can remove this assumption on the signature scheme. For a detailed proof, see Appendix B. After the proof of Lemma 4.6, we can have the following corollaries. #### Corollary 4.7. If the encryption scheme is OW-PCA and the signature scheme is deterministic, then the parallel signcryption scheme is IND-CCA. This corollary follows directly from Lemma 4.6. #### Corollary 4.8. If the encryption scheme is deterministic OW-CPA and the signature scheme is deterministic, then the parallel signcryption scheme is IND-CCA. This corollary follows a sub-class result of Corollary 4.7, where the deterministic OW-CPA secure encryption scheme also follows OW-PCA. Next, Corollary 4.9 is another representation of Corollaries 4.7 and 4.8, where we say only suUF-RMA signature schemes are valid for security because a deterministic uUF-RMA secure scheme also follows suUF-RMA. #### Corollary 4.9. If the encryption scheme is deterministic OW-CPA and the signature scheme suUF-RMA, then the parallel signcryption scheme is IND-CCA. Corollaries 4.4 and 4.7 together give Theorem 4.1. Corollaries 4.5 and 4.9 together give the following theorem, Theorem 4.10. A summary of the corollaries related to the privacy proof of SIGNCRYPT is shown in Table 3. A gap in the results, where probabilistic Sign following uUF-RMA does not provide security to SIGNCRYPT will be addressed in the next section. ### Table 3 Privacy of SIGNCRYPT under different combinations of Sign and Encrypt.  Encrypt Sign OW-PCA Deterministic uUF-RMA IND-CCA suUF-RMA IND-CCA Probabilistic uUF-RMA — suUF-RMA IND-CCA #### Theorem 4.10. If the encryption scheme is deterministic OW-CPA and the signature scheme is suUF-RMA, then the parallel signcryption scheme is IND/sUF-AdA secure. The proof of this theorem exactly follows the proof of Theorem 4.1, except that we now assume that Sign is suUF-RMA secure and Encrypt is also deterministic OW-CPA. ## 5 Extension of parallel signcryption In Section 4, we saw two limitations of SIGNCRYPT. First, it does not support probabilistic Sign, where the same input can give two or more different signatures. Second, there is a restriction on the maximum message length. In this section, we discuss how to extend the usage of the parallel signcryption SIGNCRYPT in case of probabilistic Sign and in case of arbitrarily long messages. ### 5.1 Using probabilistic Sign Probabilistic Signis not supported in the proposed scheme because we assumed Sign is deterministic and, for the same input, two different signatures are not considered. In cases where a probabilistic Sign scheme needs to be used, IND-CCA security of SIGNCRYPT will no longer be valid under the proposed scenario because now an insider adversary can simply produce another signature σ on S2* of the challenged signed ciphertext and submit Kh*,Y1*,Y2=(S2*,σ),Tk* to VerDec. This will lead to knowing bit d of Md with probability 1 without violating the IND-CCA experiment. This attack case can be handled easily in two ways. #### Solution 1 Relaxing IND-CCA experiment to IND-gCCA [2]: Consider the challenged signed ciphertext Kh*,Y1*,Y2=(S2*,σ*),Tk* as two parts. The first one is the ciphertext (Kh*,Y1*,S2*,Tk*), and the second one is the signature σ*. Imposing a restriction on the adversary attacking the IND-CCA security, not only can the challenged signed ciphertext not be queried to the decryption oracle, but those queries that result in the same as the challenged ciphertext Kh*,Y1*,S2*,Tk* are also prohibited. A query to VerDec having the challenged ciphertext Kh*,Y1*,S2*,Tk* could be easily determined by using the public key of the sender as verification key. This change in the IND-CCA experiment is similar to IND-gCCA proposed in [2]. An, Dodis and Rabin [2] proposed this IND-gCCA notion specifically for signcryption in a more formal way to avoid the trivial attack discussed above. By following the IND-gCCA security experiment in [2], we can propose another corollary from Lemma 4.6. #### Corollary 5.1. If the encryption scheme is OW-PCA and the signature scheme is unforgeable, then the parallel signcryption scheme is IND-gCCA. This corollary can be combined with corollaries from Lemma 4.2 and different, new results can be achieved. #### Solution 2 Include σ also as part of the input in Sponge. This inclusion of σ in Sponge will bind σ to a particular K, S2 like in the case of Y1. Now the above discussed attack will not work because a different σ will lead to a different K. This change is more simple compared to the IND-gCCA security notion requirement. This change is initially not included in the proposed scheme with the intention to keep the proof simple and straight. Inclusion and reason of this proposed change helps in understanding about IND-gCCA and (Y1,σ) as input to Sponge. ### 5.2 Arbitrarily long messages An arbitrarily long message can be supported in SIGNCRYPT without any major structure modification. Earlier, S1S2T=CT when |CT|=+sg+k. If |CT|>+sg+k, then S1CeS2T=CT, where |S1|=, |S2|=sg, and the final output of SIGNCRYPT is (Kh,Y1,Ce,Y2=(S2,σ),Tk). Caution. It is essential that if |CT|>+sg+k, then S1CeS2T=CT, notS1S2CeT=CT, where S1 is the input of Enc and S2 is the input of Sign. This requirement to perform signing on the last part of the data arises in signcryption to prevent a trivial forgery attack by an insider adversary. In case where Sign is performed on data subsequent to Enc data, like S1S2CeT=CT, then the adversary can replace Ce and accordingly T using π𝒜, sk and pk of Enc. This modification will lead to a trivial forgery. With this proposed change from solution 2 and support of long messages, we call SIGNCRYPTG a generic version of SIGNCRYPT. A graphical representation of generic signcryption is shown in Figure 3. ### Figure 3 Signcryption scheme SIGNCRYPTG. The input message is passed to SpWrap, which uses checkin and the SpongeWrap function, along with random K. SpWrap outputs CT, and CT further splits into S1CeS2T. The asymmetric encryption scheme Enc takes S1 as input and outputs Y1. The signature scheme Sign takes S2 as input and outputs Y2, which consists of (S2,σ), where σ is the signature. Sponge takes Y1,S1 and σ as input and outputs h, which further gets xored with K to produce Kh. The final output will be Kh,Y1,Ce,Y2,Tk, where Tk=TK. Theorem 4.1 can be modified for SIGNCRYPTG as follows: ### Theorem 5.2. If the encryption scheme is OW-PCA and the signature scheme is (uUF,suUF)-RMA, then the parallel signcryption SIGNCRYPTG scheme is IND-CCA/(UF,sUF)-AdA secure. ### Proof sketch. If we follow the proof of Lemma 4.2, after game G5, we can clearly see that the output of π is random. Following random π, the output h of Sponge is also random. Even if the adversary tries to use another σ for the same S2, this will result in a change of h that leads to random K and Tk, and the adversary needs to produce a target collision over that T or K. This case is already included in the proof when IvdIsc and IvdIπ𝒜. For IND-CCA security of SIGNCRYPTG, we can follow the proof of Lemma 4.6 including extra cases when Encrypt and Sign are probabilistic. In order to get information about Md, now the adversary tries to produce different Y1 for the same S1* or different σ for the same S2*. Either of these cases will change the value of K*, which reduces the problem again of having a collision on T or having knowledge of S1. This results in the same bound on IND-CCA2 as for SIGNCRYPT. Therefore, regarding IND-CCA of SIGNCRYPTG, the addition of Sponge is a dummy operation compared to SIGNCRYPT for outputting T, but its usage protects σ of Sign and outputs Y1 of Encrypt by making them dependent on a particular K. This dependency provides IND-CCA security for SIGNCRYPTG in a similar way for SIGNCRYPT. ## 6 Conclusion The combination of an encryption and a signature scheme yields a signcryption scheme. The extra burden of satisfying both privacy and unforgeability against insider adversaries increases the complexity of proving that the system is secure and efficient. This complexity brings limitations on the signcryption scheme in terms of the needed security assumptions, security achievement and efficiency to balance each other. Message pre-processing is found to be an attractive way to build a secure and efficient signcryption scheme. These message pre-processing techniques are found to be inflexible, which disallows their improvement in different scenarios like long message length, different types of underlying encryption and signature schemes, insider security, efficient computation in parallel, etc. The versatile nature of the sponge structure enable us to modify message pre-processing efficiently. This efficient message pre-processing helps us to build a secure signcryption scheme achieving a higher security level using a weakly secure encryption and signature scheme. We also found that the probabilistic and deterministic nature of the signature scheme plays an important role in the privacy of the signcryption scheme, but the same is not true for unforgeability with respect to the encryption scheme. At the end, we were able to find a signcryption scheme that can perform efficiently without compromising its security. The proposed scheme is highly customizable as it allows to use weakly secure schemes and different types of the underlying encryption and signature schemes. Communicated by Carlo Blundo Funding source: Australian Research Council Award Identifier / Grant number: FT140101145 Award Identifier / Grant number: DP180102199 Funding source: Narodowe Centrum Nauki Award Identifier / Grant number: DEC-2014/15/B/ST6/05130 Funding statement: Xavier Boyen is supported by Australian Research Council Future Fellowship grant FT140101145. Josef Pieprzyk was supported by Polish National Science Centre grant DEC-2014/15/B/ST6/05130 and Australian Research Council Discovery grant DP180102199. ## A Proof of Lemma 4.2 ## Proof. We consider an experiment similar to UF-AdA as described in Section 2.3. We follow the subsequent experiment for UF-AdA security of SIGNCRYPT against adversary 𝒜. The advantage of adversary 𝒜 is given by AdvSIGNCRYPTUF-AdA(k)=Pr[ExpSIGNCRYPT,𝒜UF-AdA(k)=1]. We use a game-based proof framework [10]. We are dealing with the insider security model; the adversary has a target sender IDS* in mind and it knows the sender’s public key pkS*. The adversary has access to the signcryption oracle under skS*. We denote the winning event of forging a signcryptext in game i by Gi. Game G0 represents the original signcryption game for UF-AdA. The adversary issues qsc queries on the signcryption oracle specifying the receiver IDR in each query using IDS*. Adversary 𝒜’s target is to give a target IDR* and a signed ciphertext (Kh*,Y1*,Y2*=(S2*,σ*),Tk*) such that 𝖵𝖾𝗋𝖣𝖾𝖼skR*,pkS*(Kh*,Y1*,Y2*,Tk*)=M*, where (M*,IDR*) should not be queried by 𝒜 to SignEnc. Adversary 𝒜 might ask (M,IDR*) or (M*,IDR) to SignEnc. Therefore, Pr[G0]=Pr[ExpG0,𝒜UF-AdA(k)=1]=Pr[ExpSIGNCRYPT,𝒜UF-AdA(k)=1]. From G0 to G4, we make successive changes in the permutation π. The modified π gives a permutation response for each new query such that r bits out of the b-bit output are random. Likewise, c bits out of the b-bit output are always different for new input. This helps us to exploit the permutation property of Sponge and make an output C deterministic for a specific input K, M and IV. Any change in either of the four values (C,M,K,IV) will make at least one value random. Here “any change” implies, while establishing a relation between (C,M,K,IV), if any input/output pair of π is not defined already, then essentially one of the parts is new or randomly generated. ### Figure 4 Game G0 Games G1 and G2. We start making changes in the permutation π. In G1, we take the response of π randomly and differently from the previous responses using the set Iπ. In G2, π queries are simulated as a random function, that is, for every new input, the output is random, which does not need to be different. So, in G2, π gives a random response without cross-checking it in the previous input/output response list Iπ. G1 and G2 remain identical until the output of the π query collides with any of the previous outputs. This collision is denoted as the event bad. The probability that a random response chosen as the output of π will collide with any previous response is (qπ-1)qπ2b+1, where qπ is the total number of queries on π (and π-1), either from oracle calls by a different oracle or by the adversary 𝒜. Therefore, |Pr[G2]-Pr[G1]|(qπ-1)qπ2b+1. ### Figure 5 Games G1 and G2. The dashed box has a dummy line of code with respect to G0, added and shared with both G1 and G2. G1 is with the solid box and G2 without the solid box. Games G3 and G4. G3 remains the same as G2. In G3, we split up the output v of π in input rate v1 and capacity rate v2. We also have a set c, which initially consists of IV2 and IV3. The output v of π is chosen at random from the previous outputs. We mark an event as 𝑏𝑎𝑑𝑡𝑟𝑢𝑒 in case v2 is part of any previous output, v2c. In G4, π is converted back to a permutation from a random function. Now, in G4, if 𝑏𝑎𝑑𝑡𝑟𝑢𝑒 happens, then v2 is chosen again randomly from its set, but rejecting the values already in the set c. So, in case of 𝑏𝑎𝑑𝑡𝑟𝑢𝑒, the input rate part of π’s output is random and the capacity part is different from all previous capacity parts of the outputs. In G4, π works again as an ideal permutation, but the permutation is happening over the capacity parts of the output. After every query, the sets Iπ and c are updated according to the input/output response of π. The probability of 𝑏𝑎𝑑𝑡𝑟𝑢𝑒 will be qπ(qπ+1)2c. Therefore, |Pr[G4]-Pr[G3]|qπ(qπ+1)2c. ### Figure 6 Games G3 and G4. The dashed box shows a dummy line of code added in G3 with respect to G2. G3 is without the solid box and G4 with the solid box. From G5 to G9, we start making changes in the SignEnc oracle. We try to make the output of the SignEnc oracle random by using a random output of π. We use the message/signature pair list Signlist having qH elements, where messages are chosen at random and signatures are calculated based on skS*. In the last SignEnc, it can respond with random output using a pre-computed Signlist, likewise independent of 𝖲𝗂𝗀𝗇skS*. Games G5 and G6. G5 is the same as G6. In G6, in SignEnc, we add a dummy random string C*T* equivalent to the length of CT, shown as dashed box. G5 and G6 are the same except for some dummy lines that are added in G6 at step 4 and 5 in SignEnc. In these dummy lines, C*T* is chosen at random, and C* is split into ci*, where 1in+1 and each |ci*|=r. ### Figure 7 Games G5 and G6. The dashed box shows added dummy lines of code in G6 compared to G5. G5 has the same code as G4. Games G6 and G7. In G7, we change the response of π according to ci* such that SpPad.Enc outputs C*T* for M on K. As we already know, the r-bit part of the b-bit output of π is random. Therefore, we can replace the random output x of π with another random value mici. Such a change will produce C*T* as the output response of π from its “for” loop. Now S1S2T=C*T*, and this is used for calculating encryption and signature for the final output. Here C*=c1cece+1cn+1, S1=c1ce and S2=ce+1cn+1. We store the input/output response of π, called in SignEnc, in a set Iπsc. This change of response might fail if the response of the first π call using K in SignEnc is already defined by the 𝒜 query in IπA using π𝒜 and publicly known IV2 and IDs. Because if the first response of π using K in SignEnc goes collision free, then all successive responses will be new due to the permutation property. Therefore, the probability of failure of this response change in G7 for qsc queries is qπ𝒜2k. Therefore, |Pr[G7]-Pr[G6]|qscqπ𝒜2k. ### Figure 8 Games G6 and G7. G6 follows the code without the rounded box. G7 follows the code without the solid box. Games G7 and G8. In G8, we chose a new message/signature pair from Signlist at random. We replace the chosen message Si from Signlist with S2 of π loop’s (SpPad) output. In G8, before starting to calculate SpPad and after generating C*T*, we set S1S2T=C*T*. Then we replace S2 with Si of the (message/signature) pair list, and then again set C*T*=S1S2T. The rest of the code remains the same as G7. Here we replace a random S2 with a random Si of Signlist and calculate the rest as in G7. Because both Si and S2 are random, no difference will arise in games G7 and G8. Games G8 and G9. In G9, the code remains the same as in G8; instead of calculating σ=𝖲𝗂𝗀𝗇skS(S2=Si), one can simply replace this operation with a pre-calculated σi for Si from Signlist. Now SignEnc is independent of skS of Sign and later available to adversary for a uUF-RMA attack on Sign. ### Figure 9 Games G8 and G9. The dashed box shows dummy lines of codes added in G8 compared to G7. G8 follows the code without the rounded box. G9 follows the code with the rounded box. From now on, we start making changes in the VerDec oracle. Game G10. In G10, we add some dummy lines, which does not affect the UF-CMA experiment of the game, and G10 remains the same as G9. In G10, we modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to universal forgery on Ver. Whenever we discuss a forgery, we consider IDR=IDR* in VerDec and related pkR* and skR* for the target sender IDS*. We set flag to a boolean value old initially, and set it to new in case the input/output response of π during VerDec does not belong to (IscπandIπ𝒜). Here 𝑓𝑙𝑎𝑔=𝑜𝑙𝑑 signifies that the input to VerDec is the output of SignEnc for some i-th query in case IvdIscπ, or all of π’s input/output responses are already known to adversary 𝒜 in Iπ𝒜 if IvdIπ𝒜. Similarly, if flag becomes new, then one of the values of π in VerDec is new with regard to SignEnc. In case validation passed for 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤, then essentially the answer M is not queried before SignEnc, and one of the values from Kh,Y1,Y2,T is used differently compared to any value in the output of SignEnc. A forgery is assumed to be valid only when 𝖵𝖾𝗋pkS(y2=(S2,σ)) and T=T happens under 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤 for IDR*. We try to detect a forgery based on a randomly chosen known input of Ver. Game G11. In G11, we return in case 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤. Here the difference between G10 and G11 is the probability of T=T in case 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤. In case validation passed for 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤, then essentially the answer M is not queried before SignEnc, and one of the values from π is freshly defined. This leads to a target collision on the proposed T in the input to VerDec. This happens with a probability of 12k. Therefore, |Pr[G11]-Pr[G10]|qusc2k. ### Figure 10 Games G10 and G11. The dashed boxes show dummy lines of code added in G10 compared to G9. G10 follows the code with the rounded box, without the solid box. G11 follows the code without the rounded box, with the solid box. ### Figure 11 Games G12 and G13. The dashed boxes show added dummy lines of code in G12 compared to G11. G12 follows the code without the solid box, with the rounded box. G13 follows the code with the solid box, without the rounded box. Game G12. G12 is the same as G11 except for some dummy lines of code added, shown in dashed boxes. 1. Initially, a random Sj of length sg is chosen. In case this Sj appears in SignEnc during answering a query, we abort SignEnc from answering. The probability of such happening is qH2sg, and this event is not helpful in the forgery because such a query does not provide any information to adversary 𝒜. 2. We also mark a dummy event 𝑏𝑎𝑑sign as trueif, during the VerDec query, S2=Sj and 𝖵𝖾𝗋pkS*(y2)= for IDR=IDR*. This event signifies that the adversary has provided a valid signature on a randomly chosen S2 for a targeted ID of sender and receiver. Later, we show that the probability of such 𝑏𝑎𝑑sign being trueis equivalent to AdvSign,uUF-RMA(k). 3. We also mark an event as 𝑏𝑎𝑑𝑡𝑟𝑢𝑒 in case VerDec returns M if IvdIπ𝒜 is true and flag is still old. Game G13. In G13, we return instead of M in case 𝑏𝑎𝑑𝑡𝑟𝑢𝑒. We check the probability of this bad event happening. This event is possible in either of two cases. We denote the first case as 𝑏𝑎𝑑π and the second case as 𝑏𝑎𝑑sign, e.g., Pr[𝑏𝑎𝑑𝑡𝑟𝑢𝑒]=Pr[𝑏𝑎𝑑π𝑡𝑟𝑢𝑒]+Pr[𝑏𝑎𝑑sign𝑡𝑟𝑢𝑒]. The probability of 𝑏𝑎𝑑π𝑡𝑟𝑢𝑒 is as follows. This is the case when the adversary has generated a valid ciphertext using an individual query to π𝒜 with the help of a known message/signature pair. Adversary 𝒜 could use custom K, pkR* and values of mi so that adaptive calls of π𝒜 will produce the desired S2 with known σ and some random T. Here comes the part of special addition of an 0r string block in message padding during checkin and checkout. This block forces 𝒜 to select a particular K and values of mi such that, after producing S1, the next output of π𝒜 should be equivalent to the first r-bit of S2. This is essential to pass the checkout function. The probability of this happening is qsc2r for the available qsc message/signature pairs through SignEnc queries. The probability of 𝑏𝑎𝑑sign𝑡𝑟𝑢𝑒 is as follows. This case happens when the adversary has generated a valid ciphertext using Iπ𝒜 having known an individual query to π𝒜 and without the help of a known message/signature pair by generating a valid signature for random S2. This could happen as follows: The adversary 𝒜 asks queries to π for some random K, pkR* and custom mi’s according to the checkout function to generate random Kh, S1, S2 and Tk, which will also validate T=T upon verification. Now, in order to pass the validation of Sign, 𝒜 needs to have a valid signature over Sign for random S2. Because 𝒜 knows the targeted message before generating the signature, this becomes equivalent to universal forgery for a random message. Therefore, Pr[𝑏𝑎𝑑sign]AdvSignuUF-RMA(k). Therefore, the adversary needs to produce either a collision over the r-bit of S2 using a π query and known (S2,σ) or, alternatively, produce a valid signature over random S2, which is the output of π queries. Therefore, if the adversary passes the checkout function, then essentially 𝒜 produces the collision. The probability of such a collision happening is qsc2r+Pr[𝑏𝑎𝑑sign]. Therefore, |Pr[G13]-Pr[G12]|qsc2r+AdvSignuUF-RMA(k). ### Figure 12 Game G14. This is the same as G13 with simplified code. Games G14 and G13. G14 is the same as G13. G14 is the final ideal game, and we simplify the cases by merging the bad event with the 𝑓𝑙𝑎𝑔𝑛𝑒𝑤 event because, in both events, VerDec is returning . Now flag is set to newin case (IvdIscandIvdIπ𝒜) or IvdIπ𝒜, and VerDec returns if flag is new. Return of M will happen only if flag is oldand validation of T passed. Now, essentially, 𝒜 will get for all his queries unless either he produces a valid signature on any random S2 not queried before or he queries the output of SignEnc. ∎ ### Figure 13 Adversary over uUF-RMA ## B Proof sketch of Lemma 4.6 ## Proof of Lemma 4.6. We consider the following experiment for IND-CCA security of SIGNCRYPT against adversary 𝒜. The advantage of adversary 𝒜 is given by the probability AdvSIGNCRYPTIND-CCA(k)=|Pr[ExpSIGNCRYPT,𝒜IND-CCA,d(k)=1d${0,1}]-12|.

We will use game-playing techniques [9, 10]. We start from the original CCA game ExpSIGNCRYPT,𝒜 or (ExpSIGNCRYPT,𝒜IND-CCA,d(k)=1d${0,1}), which denotes the event that 𝒜 outputs d=d, where d${0,1}. We want to show that

|Pr[ExpSIGNCRYPT,𝒜]|=12+negl(k),

where negl() is a negligible function and negl(k)AdvSIGNCRYPTIND-CCA(k). In each game, the following set is maintained: I by π, Iπ𝒜 by π𝒜, and Y stores the capacity c-bit values upon each query to π.

We modify SIGNCRYPT into a sequence of games G0, G1, …, G12 such that

Pr[Exp-SpAEP,𝒜]=Pr[ExpG0,𝒜],
Pr[ExpG(i-1),𝒜]=Pr[ExpGi,𝒜]+negl(k)for all 1i11,
Pr[ExpG12,𝒜]=12.

Games G0 to G5. From G0 to G5, exactly the same changes follow as in the proof of Lemma 4.2. Therefore,

|Pr[ExpG0,𝒜]-Pr[ExpG5,𝒜]|(qπ-1)qπ2b+1+qπ(qπ+1)2c.

In G5, the game maintains an extra set Ienc, which stores the input/output response of π (as πenc) during the SignEnc challenge query.

### Figure 14

Game G5

Games G5 and G6. Both games are the same. In G6, a dummy operation of 𝑓𝑙𝑎𝑔𝑛𝑒𝑤 is added in the VerDec oracle to denote a new query. The query is new in the sense that neither the query nor any part of the query during internal calls to π was queried earlier by the adversary. That is, 𝑓𝑙𝑎𝑔𝑛𝑒𝑤 if any π’s responses are not in Iπ𝒜. Now the code of G6 can check the condition T=T in the cases 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤 and 𝑓𝑙𝑎𝑔=𝑜𝑙𝑑 separately. If T=T and 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤, then we mark this event as 𝑏𝑎𝑑π𝑡𝑟𝑢𝑒 because 𝑏𝑎𝑑π is just a dummy event and the return of VerDec in G6 is not affected. Therefore, |Pr[ExpG6,𝒜]|=|Pr[ExpG5,𝒜]|.

Games G6 and G7. In G7, in VerDec, we return instead of M in case 𝑏𝑎𝑑π is true. Therefore,

|Pr[ExpG7,𝒜]-Pr[ExpG6,𝒜]|Pr[𝑏𝑎𝑑π𝑡𝑟𝑢𝑒].

Let (v1v2)=π(xw), where x,v1{0,1}r and w,v2{0,1}c. In VerDec, an input is a new query to π when ((xw),(v1v2))Iπ𝒜 and an old query when ((xw),(v1v2))Iπ𝒜. If a new query (xw) is input to π during VerDec, then π outputs v1v2, where v2c. That is, v2 is also new. Since v2 is unseen so far, this ensures that the input to the next call of π is certainly new. Further, since v2 is new, the next input xv2 satisfies the condition (xv2,*)Iπ𝒜, where * stands for any b-bit value. Therefore, one new query makes all subsequent inputs to π() new. We already know that, for any new query, the r-bit response of π is random. Therefore, in case 𝑓𝑙𝑎𝑔=𝑛𝑒𝑤, the probability of T=T is equivalent to a collision over the k-bit T value. Therefore, Pr[𝑏𝑎𝑑π𝑡𝑟𝑢𝑒]=qusc2k for qusc VerDec queries. Therefore,

|Pr[ExpG7,𝒜]-Pr[ExpG6,𝒜]|qusc2k.

Now if this bad event does not happen, then G7 will return M only in case all π responses are already known to 𝒜. Consecutively, 𝒜 already knows the answer of VerDec with the help of π queries and available Sign, Ver and Enc functions.

### Figure 15

Games G6 and G7. G6 includes dummy lines, shown in dashed boxes, compared to G5 along with the rounded box. G7 includes all code lines of G6 and also the solid box except for the rounded box.

### Figure 16

Game G8. Output of the decryption oracle in G8 is the same as G7 but independent from sk.

Game G8. Both games are the same. G7 and G8 both return when a new query is given to the VerDec oracle. In G8, a message M is returned only when all the input/output relations of π, which would be possible during the encryption of M, are already in Iπ𝒜. G8 iterates over all the possible input/output pairs of πIπ𝒜, initially using IV1 and IV3, and tries to find an S1 such that 𝒪PC(S1,Y1)=1. In the positive case, it further calculates K and then tries to find all pairs of input/output responses, which reach to T via K,S1,S2. If any of the responses is missing, then VerDec simply rejects the query. Due to the insider model, a faithful assumption on the signing algorithm is that, for the same input, two different signatures cannot be generated. We will discuss the impact of this assumption later, after the proof.

Games G8 and G9. We start incremental changes in the SIGNCRYPT oracle from G9. In G9, K* is chosen before the signcryption query and after the “find” stage. In both cases, K* remains random, and therefore

|Pr[ExpG9,𝒜]|=Pr[ExpG8,𝒜].

Some extra dummy variables S1*,S2*,T*, along with K*, are also chosen after the find stage but not used. A dummy value Y1* is calculated on S1* using Enc.

Games G9 and G10. In G9, K* is generated randomly. In G10, K* is computed using the value of randomly generated S1*, Kh* and Y1* . The value of K* is calculated via Hπenc(IV1IV2,y1*,y2*,,yj*)Kh*, where y1*,y2*,,yj*=S1*Y1*. Here Hπenc(*) represents the sponge function with IV=IV1IV2 using the permutation πenc. Since π is an ideal permutation and Kh* is a random value, K* will also be random. Therefore, G9 and G10 are the same,

|Pr[ExpG10,𝒜]|=|Pr[ExpG9,𝒜]|.

Game G11. In G10, during signcryption (Kh*,S1*,S2*,T*) was calculated using K* and the r-bit random output of π. In G11, we directly allocate random Kh*, S1*, S2*, Tk* values to the signcryption oracle. Earlier, in G10, during signcryption, (Kh*,S1*,S2*,Tk*) has a relation with K*, whereas, in G11, there is no relation between (Kh*,S1*,S2*,Tk*) and K*. This gap can only be exploited if K* is known to adversary 𝒜 and queried IDS*IDR*K*IV2 to π. We mark this query by 𝒜 to π as 𝑏𝑎𝑑K𝑡𝑟𝑢𝑒. Therefore, |Pr[ExpG11,𝒜]-Pr[ExpG10,𝒜]|Pr[𝑏𝑎𝑑K𝑡𝑟𝑢𝑒]. If this 𝑏𝑎𝑑K event does not happen, then essentially Kh*, S1*, S2*, Tk* will be random and also independent from Md.

### Figure 17

Games G9 and G10. G9 includes some extra dummy variables, shown in the dashed box, during initialization after find stage. G10 includes the solid-box code during initialization, in which K* is chosen from random C*.

### Figure 18

Game G11. All values of the encryption oracle are replaced by random variables if the adversary does not query K* to π𝒜.

Game G12. This is the final game of adversary 𝒜. It is the same as G11; if 𝑏𝑎𝑑K does not happen, then essentially S1* remains unknown to the adversary along with K*. The 𝑏𝑎𝑑K event in G11 is the same as 𝑏𝑎𝑑1K in G12 because the sign-ciphertext is random and independent of Md; therefore

|Pr[ExpG12,𝒜]|=|Pr[ExpG11,𝒜]|=12.

### Figure 19

Game G12 as final game, and adversary C using G12 as adversary A

The probability of 𝑏𝑎𝑑1K is

Pr[𝑏𝑎𝑑1K]=Pr[IDS*IDR*K*IV2is queried to(π𝒜orπ𝒜-1)]=Pr[(IDS*IDR*K*IV2is queried to(π𝒜orπ𝒜-1))(IencIπ𝒜)]+Pr[(IDS*IDR*K*IV2is queried to(π𝒜orπ𝒜-1))(IencIπ𝒜)],

where (IencIπ𝒜) implies that all the input/output relations of πenc are also known to the adversary 𝒜 via the set Iπ𝒜. Therefore, 𝒜 knows all yi* for 1ie and h*. Moreover, the adversary 𝒜 learns K* from Kh* of the challenged ciphertext.

Given (Kh*,Y1*,Y2*=(S2*,σ*),T*), if IDS*IDR*K*IV2 is queried to π, then it reveals S1* completely. Therefore,

where IencIπ𝒜 implies that one of the inputs to Hπenc() is unknown to the adversary 𝒜. This results in an unknown output value from Hπenc(). Since Kh* is already random, therefore K* remains unknown and random to 𝒜. Since ID* and IV2 are public, the query IDS*IDR*K*IV2 to π𝒜 is equivalent to random guessing of K*.

The last game G12 can be used to simulate adversary for simulating adversary 𝒜’s queries. Here the adversary tries to recover the first k bits from the input to Enc on given random y and other public information. ∎

### References

[1] M. Abe, R. Gennaro and K. Kurosawa, Tag-KEM/DEM: A new framework for hybrid encryption, J. Cryptology 21 (2008), no. 1, 97–130. 10.1007/s00145-007-9010-xSearch in Google Scholar

[2] J. H. An, Y. Dodis and T. Rabin, On the security of joint signature and encryption, Advances in Cryptology – EUROCRYPT 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 83–107. 10.1007/3-540-46035-7_6Search in Google Scholar

[3] C. Badertscher, F. Banfi and U. Maurer, A constructive perspective on signcryption security, Security and Cryptography for Networks – SCN 2018 Lecture Notes in Comput. Sci. 11035, Springer, Berlin (2018), 102–120. 10.1007/978-3-319-98113-0_6Search in Google Scholar

[4] J. Baek, R. Steinfeld and Y. Zheng, Formal proofs for the security of signcryption, Public Key Cryptography – PKC 2002 Lecture Notes in Comput. Sci. 2274, Springer, Berlin (2002), 80–98. 10.1007/3-540-45664-3_6Search in Google Scholar

[5] J. Baek, W. Susilo, J. K. Liu and J. Zhou, A new variant of the Cramer–Shoup KEM secure against chosen ciphertext attack, Applied Cryptography and Network Security – ACNS 2009 Lecture Notes in Comput. Sci. 5536, Springer, Berlin (2009), 143–155. 10.1007/978-3-642-01957-9_9Search in Google Scholar

[6] T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015 Lecture Notes in Comput. Sci. 9144, Springer, Berlin (2015), 93–106. 10.1007/978-3-319-19962-7_6Search in Google Scholar

[7] M. Bellare and P. Rogaway, Optimal asymmetric encryption, Advances in Cryptology – EUROCRYPT 1994, Lecture Notes in Comput. Sci. 950, Springer, Berlin (1995), 92–111. 10.1007/BFb0053428Search in Google Scholar

[8] M. Bellare and P. Rogaway, The exact security of digital signatures - how to sign with RSA and rabin, Advances in Cryptology – EUROCRYPT 1996, Lecture Notes in Comput. Sci. 1070, Springer, Berlin (1996), 399–416. 10.1007/3-540-68339-9_34Search in Google Scholar

[9] M. Bellare and P. Rogaway, Code-based game-playing proofs and the security of triple encryption, preprint (2004), http://eprint.iacr.org/2004/331. 10.1007/11761679_25Search in Google Scholar

[10] M. Bellare and P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, Advances in Cryptology – EUROCRYPT 2006, Lecture Notes in Comput. Sci. 4004, Springer, Berlin (2006), 409–426. 10.1007/11761679_25Search in Google Scholar

[11] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2011), 320–337. 10.1007/978-3-642-28496-0_19Search in Google Scholar

[12] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Permutation-based encryption, authentication and authenticated encryption, preprint (2012). Search in Google Scholar

[13] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Keccak, Advances in Cryptology – EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Berlin (2013), 313–314. 10.1007/978-3-642-38348-9_19Search in Google Scholar

[14] T. E. Bjørstad and A. W. Dent, Building better signcryption schemes with tag-kems, Public Key Cryptography – PKC 2006, Lecture Notes in Comput. Sci. 3958, Springer, Berlin (2006), 491–507. 10.1007/11745853_32Search in Google Scholar

[15] T. E. Bjørstad, A. W. Dent and N. P. Smart, Efficient KEMs with partial message recovery, Cryptography and Coding, Lecture Notes in Comput. Sci. 4887, Springer, Berlin (2007), 233–256. 10.1007/978-3-540-77272-9_15Search in Google Scholar

[16] D. Chiba, T. Matsuda, J. C. N. Schuldt and K. Matsuura, Efficient generic constructions of signcryption with insider security in the multi-user setting, Applied Cryptography and Network Security – ACNS 2011, Lecture Notes in Comput. Sci. 6715, Springer, Berlin (2011), 220–237. 10.1007/978-3-642-21554-4_13Search in Google Scholar

[17] R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Advances in Cryptology – Crypto 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 13–25. 10.1007/BFb0055717Search in Google Scholar

[18] A. W. Dent, A designer’s guide to KEMs, Cryptography and Coding, Lecture Notes in Comput. Sci. 2898, Springer, Berlin (2003), 133–151. 10.1007/978-3-540-40974-8_12Search in Google Scholar

[19] A. W. Dent, Hybrid signcryption schemes with insider security, Information Security and Privacy – ACISP 2005, Lecture Notes in Comput. Sci. 3574, Springer, Berlin (2005), 253–266. 10.1007/11506157_22Search in Google Scholar

[20] A. W. Dent, Hybrid signcryption schemes with outsider security, Information Security – ISC 2005, Lecture Notes in Comput. Sci. 3650, Springer, Berlin (2005), 203–217. 10.1007/11556992_15Search in Google Scholar

[21] A. W. Dent and Y. Zheng, Practical Signcryption, Springer, Berlin, 2010. 10.1007/978-3-540-89411-7Search in Google Scholar

[22] Y. Dodis, M. J. Freedman, S. Jarecki and S. Walfish, Versatile padding schemes for joint signature and encryption, Proceedings of the 11th ACM Conference on Computer and Communications Security – CCS’04, ACM, New York (2004), 344–353. 10.1145/1030083.1030129Search in Google Scholar

[23] Y. Dodis, M. J. Freedman and S. Walfish, Parallel signcryption with oaep, pss-r, and other feistel paddings, preprint (2003), http://eprint.iacr.org/2003/043. Search in Google Scholar

[24] E. Fujisaki and T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, J. Cryptology 26 (2013), no. 1, 80–101. 10.1007/s00145-011-9114-1Search in Google Scholar

[25] T. E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory 31 (1985), no. 4, 469–472. 10.1109/TIT.1985.1057074Search in Google Scholar

[26] M. P. Guido Bertoni, Joan Daemen and G. V. Assche, Sponge functions, ECRYPT Hash Function Workshop, 2007. Search in Google Scholar

[27] E. Kiltz, Chosen-ciphertext security from tag-based encryption, Theory of Cryptography – TCC 2006, Lecture Notes in Comput. Sci. 3876, Springer, Berlin (2006), 581–600. 10.1007/11681878_30Search in Google Scholar

[28] K. Kurosawa and Y. Desmedt, A new paradigm of hybrid encryption scheme, Advances in Cryptology – CRYPTO 2004, Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 426–442. 10.1007/978-3-540-28628-8_26Search in Google Scholar

[29] B. Libert and J. Quisquater, Efficient signcryption with key privacy from gap diffie-hellman groups, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 187–200. 10.1007/978-3-540-24632-9_14Search in Google Scholar

[30] J. Malone-Lee and W. Mao, Two birds one stone: Signcryption using RSA, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci. 2612, Springer, Berlin (2003), 211–225. 10.1007/3-540-36563-X_14Search in Google Scholar

[31] T. Matsuda, K. Matsuura and J. C. N. Schuldt, Efficient constructions of signcryption schemes and signcryption composability, Progress in Cryptology – INDOCRYPT 2009, Lecture Notes in Comput. Sci. 5922, Springer, Berlin (2009), 321–342. 10.1007/978-3-642-10628-6_22Search in Google Scholar

[32] T. Okamoto and D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, Topics in Cryptology – CT-RSA 2001, Lecture Notes in Comput. Sci. 2020, Springer, Berlin (2001), 159–175. 10.1007/3-540-45353-9_13Search in Google Scholar

[33] J. Pieprzyk and D. Pointcheval, Parallel authentication and public-key encryption, Information Security and Privacy – ACISP 2003, Lecture Notes in Comput. Sci. 2727, Springer, Berlin (2003), 387–401. 10.1007/3-540-45067-X_33Search in Google Scholar

[34] J. Pieprzyk and D. Pointcheval, Parallel signcryption, Practical Signcryption, Springer, Berlin (2010), 175–192. 10.1007/978-3-540-89411-7_9Search in Google Scholar

[35] V. Shoup, OAEP reconsidered, J. Cryptology 15 (2002), no. 4, 223–249. 10.1007/s00145-002-0133-9Search in Google Scholar

[36] R. Steinfeld and Y. Zheng, A signcryption scheme based on integer factorization, Information Security – ISW 2000, Lecture Notes in Comput. Sci. 1975, Springer, Berlin (2000), 308–322. 10.1007/3-540-44456-4_23Search in Google Scholar

[37] C. H. Tan, Signcryption scheme in multi-user setting without random oracles, Advances in Information and Computer Security – IWSEC 2008, Lecture Notes in Comput. Sci. 5312, Springer, Berlin (2008), 64–82. 10.1007/978-3-540-89598-5_5Search in Google Scholar

[38] Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption)<<cost(signature) + cost(encryption), Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 165–179. 10.1007/BFb0052234Search in Google Scholar

[39] SHA3 Hash function competition, 2007; http://csrc.nist.gov/groups/ST/hash/sha-3/index.html, last visited 02-Jan-2017. Search in Google Scholar