## 1 Introduction

The aim of signcryption is to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The reduction of the computational cost makes signcryption more practical and it is a preferred option for e-commerce and e-mail applications, where both confidentiality and authentication are required. Zheng [38] introduced the signcryption notion in 1997. He proposes a signcryption solution that is based on the El-Gamal [25] encryption and signature, leaving the design of generic signcryption schemes as an open problem, which has since then received considerable attention.

The study of generic compositions of encryption and signature has been initiated by An, Dodis and Rabin [2]. They considered different methods for designing signcryption through a black-box composition of secure signature and public-key encryption. In particular, they showed that both “encrypt-then-sign” (EtS) and “sign-then-encrypt” (StE) lead to secure signcryption schemes. However, the parallel signcryption approach “sign-and-encrypt” (S&E) composition does not provide privacy since the signature may reveal information about the encrypted messages. They introduced an alternative generic method termed “commit-then-sign-and-encrypt” (CtS&E) that provides some security guarantee for S&E. Note that CtS&E compositions lead to parallel signcryption.

An, Dodis and Rabin [2] also define two types of security for signcryption, namely, outsider and insider security. The outsider security deals with an external adversary who knows the public keys of a sender and a receiver. The insider security model attacks are coming from the other party that participates in the communication. In other words, an insider adversary is either the sender who wants to compromise receiver confidentiality or the receiver who tries to defeat sender unforgeability. Since security against an insider adversary implies security against an outsider adversary, the former is preferred.

A different security model for signcryption, which has been adopted in a few early papers [2, 20], is the two-user setting. In this model, a single sender interacts with a single receiver. However, as pointed out by Dent [20], security in the two-user model does not imply security in the multi-user model, in which either several senders communicate with the same receiver or, alternatively, several receivers obtain messages from a single sender. Hence, to ensure a realistic security concept, a multi-user security model must be adopted. The strongest security definitions, which captures both insider confidentiality and unforgeability for the multi-user setting, have been defined in [29]. For an overview of different security models, see [31, 21]. A recent paper by Badertsche, Banfi and Maurer [3] also supports the need for an insider secure multi-user model for signcryption.

### 1.1 Background

In 2002, An, Dodis and Rabin [2] presented a methodology for parallel encryption and signing.
A plaintext *m* is first transformed into a pair *c* is a commitment and *d* is a de-commitment.
The value *c* reveals no information about *m*, while the pair *m*.
Once the transformation *c* and encrypts *d* in parallel using appropriate encryption and signature algorithms.
On the receiver side, the signature on *c* is verified and *d* is recovered from its ciphertext.
Both operations are executed in parallel.
Finally, the plaintext *m* is reconstructed from

The work by An, Dodis and Rabin [2] has instigated investigation into new ways to define signcryption in more generic ways. Note that early works present signcryption whose security depends on intractable problems such as discrete logarithm [38] and integer factoring [36, 30]. The authors of earlier works left an open question of designing signcryption under weaker security assumptions for encryption and signature schemes that do not relate to any specific intractability assumption. For example, the generic trapdoor one-wayness (OW) assumption is satisfied by the RSA encryption (when integer factorization is intractable) and the ElGamal encryption (when the computational Diffie–Hellman (CDH) problem is intractable). In this paper, we consider cryptographic primitives (encryption and signature), whose security assumptions are generic.

Parallel signcryption is further investigated by Pieprzyk and Pointcheval [33].
They proposed to use a *m* is first split into two shares *m*.
The first share

Dodis et al. [23, 22] propose a different approach to perform parallel signcryption. In their approach, they use a Feistel probabilistic padding, which can be viewed as a generalization of other existing probabilistic paddings such as OAEP [7], OAEP+ [35], PSS-R [8], etc. The authors argue that their signcryption provides IND-CCA and strong existential unforgeability (sUF-CMA) security assuming trapdoor one-way permutations only.

Hybrid signcryption is an attractive approach in the design of signcryption schemes.
It follows the idea of hybrid encryption discussed in many works [17, 18, 28, 27, 15, 1, 5, 24].
Hybrid encryption consists of an asymmetric *key encapsulation mechanism*
(KEM) and a symmetric *data encapsulation mechanism* (DEM).
The first formal treatment of security of signcryption has been done by Dent [19, 20].
Some other related works are [14, 37, 31, 16].
Converting a hybrid encryption scheme to hybrid signcryption turns out to be much trickier than it looks.
The main difficulty is an increase in complexity of analysis that results from a more complex adversarial model.
It is necessary to consider not only straightforward attacks against authenticity and confidentiality of messages but also more intricate issues such as distinction between outsider and insider attacks.
Moreover, CtS&E-type compositions are always preferred as a base for constructing secure KEMs.

### 1.2 Limitation of existing schemes

A majority of signcryption schemes follow the sequential designs StE or EtS. Note that all schemes for hybrid signcryption with KEM/DEM [19, 20, 14, 16] follow the sequential design. The sequential design limits the efficiency of signcryption. This limitation can be lifted by using the CtS&E composition, which performs encryption and signing in parallel and independently from each other. Many signcryption schemes are built using some specific intractability assumptions (for example, intractability of discrete logarithm [38, 4, 29]). These constructions are not generic as the assumptions limit the choice of underlying encryption and signature schemes. Constructions for hybrid signcryption are generic, but they require stronger security properties from key and data encapsulation mechanisms. For example, a recent generic hybrid signcryption scheme given by Chiba et al. [16] requires an IND-CCA secure KEM, a one-time secure symmetric-key encryption, a one-time secure message authentication code and a strong existentially unforgeable signature scheme. These requirements are much stronger than those needed in already available non-hybrid schemes [33].

To the best of our knowledge, there is no hybrid signcryption that claims IND-CCA security and existential unforgeability using weak security properties like one-wayness and universal unforgeability. Most of the signcryption schemes require existential unforgeability for the underlying signature scheme, which is a stronger assumption than universal unforgeability. A common method used to build CtS&E-type scheme [33, 30, 22, 34] is an OAEP-type padding. The padding gives rise to some common limitations such as: (1) it restricts message space, (2) it works with deterministic one-way encryption and deterministic signature only and (3) it provides security in the random oracle (RO) model. Unavailability of different types of padding schemes limits the extension of work for the CtS&E composition. Table 1 gives a brief summary of generic signcryption schemes based on CtS&E.

Generic signcryption schemes based on CtS&E-type composition, where IND stands for indistinguishability, OW for one-wayness, CPA/CMA for chosen plaintext/message attack, CCA for chosen ciphertext attack, UF for existential unforgeability, uUF for universal unforgeability, suUF for strong uUF, RMA for random message attack, gCCA for generic CCA, OW-CPA for trapdoor one-way permutation and OW-PCA for one-wayness under plaintext-checking attack.

Schemes | Model | Encryption | Signature | Message length | # of other functions | Signcryption |

An, Dodis and Rabin | No specific | IND-CCA | UF-CMA | Restricted | Commitment scheme | IND-gCCA/UF-CMA |

Pieprzyk and Pointcheval | Random oracle | OW-CPA | suUF-RMA | Restricted | 3 hash, 1 secret share scheme | IND-CCA/sUF-CMA |

Dodis et al. | Random oracle | OW-CPA | sUF-CMA | Restricted | 1 hash, 1 commitment scheme | IND-CCA/sUF-CMA |

Unrestricted | 1 hash, 1 commitment scheme, symmetric encryption | |||||

Our result | Ideal permutation | OW-CPA | suUF-RMA | Unrestricted | 1 SpongeWrap,
1 sponge function
( | IND-CCA/sUF-CMA |

OW-PCA | uUF-RMA | IND-CCA/UF-CMA |

### 1.3 Motivation

A randomized padding, like OAEP, is a powerful tool, which converts weakly secure fixed trapdoor one-way functions into public-key encryption that is secure against strong adaptive chosen ciphertext attacks. The padding has been used in signcryption as a part of the commitment scheme in the CtS&E composition. It is known that CtS&E allows the use of weak cryptographic primitives in a generic way to achieve a strong security of signcryption. A good example of such composition is the results by Pieprzyk and Pointcheval [33, 34], which integrate any one-way encryption system (such as the basic RSA) with a weakly secure signature (non-universally forgeable signatures) into a strong chosen-ciphertext secure and existentially unforgeable signcryption in the RO model. The limitation of functionality, like message space restriction or type of encryption scheme, is inherited from the commitment or padding scheme used.

Recently, motivated by the OAEP design, Bansal, Chang and Sanadhya [6] proposed another type of padding called SpAEP. SpAEP is based on the sponge permutation structure, where permutation is considered as an ideal permutation, and the resulting sponge has no restriction on maximum message space. Unlike KEM-DEM, the SpAEP padding provides a pathway to combine symmetric and asymmetric primitives without a strict delineation. In brief, SpAEP uses a versatile sponge function and SpongeWrap [26, 11, 12] in pipelined fashion, and a portion of its output is used as input to the asymmetric encryption. The padding provides similar security guarantees as OAEP, but it is more efficient. The SpAEP padding can be used with trapdoor one-way permutations only. The sponge-based padding SpAEP [6] is versatile and has been used in a different security model for asymmetric encryption based on an ideal permutation. The padding scheme supports arbitrarily long messages, uses small domain permutations and applies “on the fly” encryption. Its running time is equivalent to a hash function.

Motivated by versatility of the sponge-based padding and by amplification of security properties (as demonstrated in [33, 34]), we would like to develop a generic signcryption scheme that is secure in the ideal permutation model. We intend to use weak asymmetric primitives such as trapdoor one-way encryption and universal unforgeable signature. The scheme is designed to support arbitrarily long messages. Experimental comparisons of the proposed scheme with existing generic signcryption schemes based on implementation is beyond the scope of this paper. However, a structural comparative analysis is provided in the next section.

### 1.4 Structural comparison

Generally, runtime performance of any signcryption is determined by processing time of asymmetric primitives, irrespective of underlying message-padding scheme, except perhaps for very long plaintexts (which many existing signcryption schemes do not even support). Therefore, structural efficiency improvement plays a secondary role in overall performance of signcryption, with the primary role being played by the ability to use weaker and faster asymmetric components. Nevertheless, simple and feature-rich message padding is always required to widen the applicability and usability of signcryption.

The proposed scheme uses only one SpongeWrap function and one sponge function.
From the efficiency point of view, the proposed scheme is optimal since only a single call of SpongeWrap (

When compared to other generic schemes, Pieprzyk and Pointcheval [33] use a hash function, a secret sharing and OAEP (2 hash functions). A similar overhead is seen in the construction proposed by Dodis et al. [23, 22]. A simple practical generic signcryption scheme is proposed by Dodis et al. [23, 22]. The authors proposed a padding scheme called P-pad, which is equivalent to OAEP+ [35]. A detailed comparison of OAEP+ and sponge-based padding (SpAEP) is provided by Bansal, Chang and Sanadhya [6], which shows sponge-based padding schemes are more efficient and practical compared to OAEP-type padding schemes. In case of arbitrarily long messages, the scheme of Dodis et al. [23, 22] requires an additional symmetric encryption unlike our proposed scheme. These additional requirements of different functions with different input-output settings increase the implementation effort. Therefore, overall, our proposed scheme provides a simple, better and feature-rich message padding scheme for construction of generic signcryption scheme.

### 1.5 Contributions

In this paper, we make the following contributions.

- (i)We present a signcryption scheme in the ideal permutation model using sponge structure. First we propose signcryption for messages of a fixed length. Then we show how to extend it for arbitrarily long messages. With careful analysis, we demonstrate how different combinations of weakly secure probabilistic/deterministic encryption and signature schemes can be used to build strongly secure generic signcryption. To the best of our knowledge, this is the first sponge-based signcryption. We also believe that the proposed signcryption is the first scheme, which allows different combination of weakly secure encryption and signature schemes to yield strongly secure signcryption that supports arbitrarily long messages.
- (ii)The demands on component security are merely one-wayness for encryption and universal unforgeability for signature. These minimum security requirements are sufficient to achieve indistinguishability and existential unforgeability security against adaptive attacks. Such weak requirements were only fulfilled in [33, 34], but the scope of [33, 34] is limited to fixed message space and deterministic encryption and signatures.
- (iii)Apart from encryption and signature primitives, our scheme requires an ideal permutation only. The iterative permutation model we use is based on the well-known iterative sponge structure. Note that, after the success of KECCAK [13] in the SHA-3 competition [39], the sponge structure is becoming more and more popular and can serve as a “Swiss army knife” in cryptography.
- (iv)Flexibility of the sponge-based padding allows to scale the system from relatively short messages to long ones while preserving security properties. Besides, the complexity of the security analysis does not increase. Note that some extra redundant data is used in the proposed sponge padding that plays an important role in supporting long messages.

The sponge structure used for message padding resembles the padding proposed in [6] but differs in two aspects. First, some extra redundant data is used to allow the usage of sponge padding with a signature to provide both unforgeability and confidentiality. Second, while the padding in [6] applies for deterministic asymmetric encryption only, here we extend the sponge padding, so it also works with probabilistic asymmetric primitives.

Some properties are naturally inherited from the sponge structure. Signcryption offers an “on the fly” computation property during the signcryption and unsigncryption processes. An implementation does not need to use the inverse permutation, which saves implementation effort and memory.

### Streaming

Our signcryption strategy enables unbuffered “on the fly” data processing (a.k.a. “streaming”, “online”, “single-pass” operation) during both the signcryption and unsigncryption processes. This is of significant interest when handling large messages, and one of the differentiating features of our scheme. For the avoidance of doubt, we note that single-pass unsigncryption necessarily requires that the recipient be able to discard an already decrypted stream that ends up failing authentication, with no persistent side-effect, for IND-CCA security. This operational limitation only applies to unsigncryption.

## 2 Preliminaries

### Notations

In this work, we use *x*, and *x* and *y*.
If *n* is a positive integer, then the symbol *n*-bit strings.
We also use *r* bits of the string *X*, where *x* from a set *I* is denoted by

### 2.1 Ideal permutation

A permutation π is a bijective function on a finite domain *D* and range *R*, where *D*.
More precisely,

### 2.2 Public-key encryption

### Description

A public-key encryption scheme Encrypt is defined by the following three algorithms:

- •the key generation algorithm
that produces a pair$\text{\U0001d5a6\U0001d5be\U0001d5c7\U0001d5a4\U0001d5c7\U0001d5bc}\left({1}^{k}\right)$ of public and private keys on input$(\mathrm{pk},\mathrm{sk})$ , where${1}^{k}$ *k*is the security parameter, - •the encryption algorithm
that outputs a ciphertext${\text{\U0001d5a4\U0001d5c7\U0001d5bc}}_{\mathrm{pk}}(m;g)=c$ *c*for a message and a public key$m\in \mathcal{M}$ using random coins$\mathrm{pk}$ (the message and coin spaces$g\in \mathrm{\U0001d672\U0001d67e\U0001d678\U0001d67d\U0001d682}$ and$\mathcal{M}$ are uniquely determined by$\mathrm{\U0001d672\U0001d67e\U0001d678\U0001d67d\U0001d682}$ ),$\mathrm{pk}$ - •the decryption algorithm
that recovers a message${\text{\U0001d5a3\U0001d5be\U0001d5bc}}_{\mathrm{sk}}\left(c\right)$ *m*from a ciphertext*c*using a secret key .$\mathrm{sk}$

We require that an asymmetric encryption scheme should satisfy the following correctness condition.
For all

### Security notions

The simplest security notion for public-key encryption is one-wayness (OW).
This is to say that an adversary *m* knowing a ciphertext *c* and a public key.
We denote the maximum probability of success that an adversary can invert the encryption of a random plaintext *m* in time *t* by *plaintext checking oracle* (

A stronger security notion has also been defined.
It is the so-called semantic security (a.k.a. indistinguishability of encryptions, IND).
This is to say that a ciphertext should not leak any information about the encrypted message.
More formally, knowing that a ciphertext is an encryption of one of two known messages, an adversary cannot guess the message with a non-negligible advantage.
An adversary is seen as a 2-stage Turing machine (

An adversary can try many different attacks. Knowing a public key, the adversary can encrypt any plaintext of its choice. This scenario is called the chosen-plaintext attack and denoted by CPA. Other attacks allow the adversary a restricted or unrestricted access to various oracles. The strongest attack allows the adversary to query the decryption oracle, which can be accessed adaptively in the chosen-ciphertext scenario (denoted as CCA). There is a restriction for queries – any query to the oracle should be different from the challenge ciphertext.

### 2.3 Signatures

### Description

A digital signature Sign consist of the following three algorithms:

- •GenSign, the key generation algorithm, which, for a security parameter
*k*, outputs a pair of public and private keys,$(\mathrm{pk},\mathrm{sk})$ - •Sign, the signing algorithm, which takes a message
*M*and the secret key and outputs a signature$\mathrm{sk}$ ,$\sigma ={\text{\U0001d5b2\U0001d5c2\U0001d5c0\U0001d5c7}}_{\mathrm{sk}}\left(M\right)$ - •Ver, the verification algorithm, which accepts a signature σ, a message
*M*and a public key and returns a binary answer$\mathrm{pk}$ (valid${\text{\U0001d5b5\U0001d5be\U0001d5cb}}_{\mathrm{pk}}(\sigma ,M)$ or invalid$\top $ ).$\perp $

We assume that the signing algorithm takes an input of maximum

### Security notions

An adversary attempts to forge a signature. The probability of achieving this is assessed via the following game between a probabilistic polynomial time (PPT) adversary and a challenger.

- (i)The challenger generates a key pair
.$(\mathrm{sk},\mathrm{pk})\leftarrow \text{\U0001d5a6\U0001d5be\U0001d5c7\U0001d5b2\U0001d5c2\U0001d5c0\U0001d5c7}\left({1}^{k}\right)$ - (ii)The adversary runs
. They have access to an oracle${\mathcal{A}}^{\mathcal{O}}({1}^{k},\mathrm{pk})$ (which will be described below). The adversary terminates by outputting a message$\mathcal{O}$ and its signature${m}^{*}$ .${\sigma}^{*}$

In terms of resources, there are two types of attacks. The type of attack specifies the power that the adversary has in the attack.

- •In a
*no-message attack*(NMA), the oracle gives no response. This is equivalent to an attack model in which the adversary does not have access to the oracle . The adversary knows only the public key$\mathcal{O}$ of the signer.$\mathrm{pk}$ - •In the second, a
*known-message attack*, the adversary has access to a signature oracle providing a list of valid message/signature pairs in addition to knowledge of the public key of the signer. If this list contains random and uniformly chosen messages, then the attack is termed a random-message attack (RMA). If this list contains messages chosen by an adversary, the attack is termed a chosen-message attack (CMA). A chosen-message attack seeks to emulate the normal mode of use of a signature scheme, in which an adversary can observe signatures produced by a legitimate party, perhaps in some adversarial chosen way.

There are two ways, in which we can assess whether the adversary succeeds in forging a signature.

- •Existential unforgeability (UF) – the adversary wins if it outputs a pair
, where$({m}^{*},{\sigma}^{*})$ and the adversary never queried the signature oracle with the message${\text{\U0001d5b5\U0001d5be\U0001d5cb}}_{\mathrm{pk}}({m}^{*},{\sigma}^{*})=\top $ .${m}^{*}$ - •Strong existential unforgeability (sUF) – the adversary wins if it outputs a pair
, where the same conditions as for UF hold and, additionally, the adversary never received the response$({m}^{*},{\sigma}^{*})$ .${\sigma}^{*}$

In case of a finite message space

- (i)The challenger generates a key pair
and a message .${m}^{*}\stackrel{\text{\$}}{\leftarrow}\mathcal{M}$ - (ii)The adversary runs
. It has access to an oracle${\mathcal{A}}^{\mathcal{O}}({1}^{k},\mathrm{pk},{m}^{*})$ . The adversary terminates by outputting a signature$\mathcal{O}$ .${s}^{*}$

We may define two success criteria for this security game.

- •In the universal unforgeability (uUF) game, the adversary wins if
and the adversary never queried the signature oracle with the message$\text{\U0001d5b5\U0001d5be\U0001d5cb}(\mathrm{pk},{m}^{*},{\sigma}^{*})=\top $ .${m}^{*}$ - •In the strong universal unforgeability (suUF) game, the adversary wins if
and the adversary never queried the signature oracle with the message$\text{\U0001d5b5\U0001d5be\U0001d5cb}(\mathrm{pk},{m}^{*},{\sigma}^{*})=\top $ nor received the response${m}^{*}$ .${\sigma}^{*}$

We say a signature is deterministic if signing a message multiple times results in the same signature. We say a signature is probabilistic if signing a message twice results in different signatures with overwhelming probability.

### 2.4 Signcryption: Joint encryption and signing

### Description

A signcryption scheme SignCrypt is defined by the following three algorithms:

- •Gen, the key generation algorithm, which outputs a pair of keys
for a security parameter$(\mathrm{SDK},\mathrm{VEK})$ *k*, where is the user’s sign/decrypt key, which is kept secret, and$\mathrm{SDK}$ is the user’s verify/encrypt key, which is made public,$\mathrm{VEK}$ - •SignEnc, the encryption and signing algorithm, which, for a message
*M*, the public key of the receiver and the private key of the sender${\mathrm{VEK}}_{R}$ , produces a signed ciphertext${\mathrm{SDK}}_{S}$ ,$Y={\text{\U0001d5b2\U0001d5c2\U0001d5c0\U0001d5c7\U0001d5a4\U0001d5c7\U0001d5bc}}_{{\mathrm{SDK}}_{S},{\mathrm{VEK}}_{R}}\left(M\right)$ - •VerDec, the decryption and verifying algorithm, which, for signed ciphertext
*Y*, the private key of the receiver and the public key${\mathrm{SDK}}_{R}$ of the sender, recovers the message${\mathrm{VEK}}_{S}$ . If this algorithm fails either to recover the message or to verify its authenticity, it returns$M={\text{\U0001d5b5\U0001d5be\U0001d5cb\U0001d5a3\U0001d5be\U0001d5bc}}_{{\mathrm{SDK}}_{R},{\mathrm{VEK}}_{S}}\left(Y\right)$ .$\perp $

### Security notions

We can combine classical security notions of signature and encryption to form a security notion of signcryption under adaptive attacks.
Given access to public information *S* and receiver *R*, the adversary attempts to break

- (i)authenticity (UF): coming up with a valid signed ciphertext of a new message, and thus provide an “existential forgery”,
- (ii)privacy (IND): breaking the “indistinguishability” of signed ciphertexts.

In the security analysis, the adversary may be one of *S* or *R*.
So *S* may want to break the privacy, or *R* may want to break authenticity.
If signcryption prevents existential forgeries and guarantees indistinguishability in the above attack scenarios (with chosen-message attacks CMA, or adaptive attacks AdA), we say the scheme is secure.

A signcryption scheme is *secure* if it achieves IND/UF under adaptive attacks.

## 3 Sponge-based padding

### Description

Sponge-based padding consist two functions:
*SpWrap* and *Sponge*. *SpWrap* and *Sponge* take some of their length
parameters from Encrypt and Sign used in SIGNCRYPT.

### SpWrap

This function is based on an iterated ideal permutation *SpWrap.Enc*() and *SpWrap.Dec*().

On an input message *M* from message space *SpWrap.Enc*() gives the output *K* from the keyspace *SpWrap.Enc*() takes the input message *M*, *K* and some length parameters like *SpWrap.Enc*() is *SpWrap.Dec*() takes a ciphertext *K* and some length parameters like *SpWrap.Dec*() is *M* or

*SpWrap* uses a structure similar to SpongeWrap [11], but its message padding is a little more specific than the general injective reversible padding used in SpongeWrap.
After applying injective reversible padding to the input message, which is required for smooth functioning of the sponge structure, we specifically add a

### Sponge

This function works exactly like the sponge function in [26].
*Sponge* has fixed *b*-bit initial value *SpWrap*.
In *Sponge*, we take *Sponge* takes *k*-bit tag value *h*.
We define the *Sponge* function based on π as follows:

### Properties

One useful property of *SpWrap* is its bijection.
Considering a fixed *SpWrap*, each query to *SpWrap.Enc*() has a fixed chain of internal variables because of the permutation π.
Therefore, every query will have its unique set of state values.
No two different queries can have a similar whole set of state bits.
The first point of difference between two queries will create diversion in the set values because of the permutation π.

## 4 Parallel signcryption: SIGNCRYPT

In this section, we describe our proposal of parallel signcryption using sponge-based padding. To keep this scheme simple, we start with a restricted message space and a deterministic signature scheme. We remove these conditions in Section 5.

### 4.1 Description

Building blocks of parallel signcryption SIGNCRYPT are

- •an encryption scheme
,$\text{Encrypt}=(\text{\U0001d5a6\U0001d5be\U0001d5c7\U0001d5a4\U0001d5c7\U0001d5bc},\text{\U0001d5a4\U0001d5c7\U0001d5bc},\text{\U0001d5a3\U0001d5be\U0001d5bc})$ - •a signature scheme
,$\text{Sign}=(\text{\U0001d5a6\U0001d5be\U0001d5c7\U0001d5b2\U0001d5c2\U0001d5c0},\text{\U0001d5b2\U0001d5c2\U0001d5c0\U0001d5c7},\text{\U0001d5b5\U0001d5be\U0001d5cb})$ - •a permutation
(assumed to behave like an ideal permutation),$\pi :{\{0,1\}}^{(b=r+c)}\to {\{0,1\}}^{b}$ - •for
*k*-bit security of parallel signcryption, π having sufficient such that it should provide at least$r>c>k$ *k*-bit security, - •assuming
and$\ell =n*r$ for some positive integers${\ell}_{\mathrm{sg}}=m*r$ ,$n,m>0$ - •a public function
*ID*, which maps the public key of any user*A*to a unique -bit string in a compatible string format as$\frac{r-k}{2}$ , the communicating parties are denoted as sender${\mathrm{ID}}_{A}$ *S*and receiver*R*, - •the length of a message
*M*is .$\ell +{\ell}_{\mathrm{sg}}-2\left(k+1\right)$

Sender *S* generates *R* generates *ID*, the unique identities of sender *S* and receiver *R* will be

- (1)Compute
, where$\parallel CT=\text{SpWrap.Enc}(K,M,\parallel {\mathrm{IV}}_{1}{\mathrm{IV}}_{2},r,k,{\ell}_{\mathrm{sg}})$ ,${\mathrm{IV}}_{1}=\parallel {\mathrm{ID}}_{S}{\mathrm{ID}}_{R}$ ,${\mathrm{IV}}_{2}={0}^{c}$ ,$K\stackrel{\text{\$}}{\leftarrow}{\{0,1\}}^{k}$ and$\left|K\right|=k$ *r*is the input rate of π. - (2)Parse
into$\parallel CT$ , i.e.,$\parallel {S}^{1}{S}^{2}T$ , where$\parallel CT=\parallel {S}^{1}{S}^{2}T$ ,$\left|{S}^{1}\right|=\ell $ .$\left|{S}^{2}\right|={\ell}_{\mathrm{sg}}$ - (3)Calculate (in parallel)
,${Y}_{1}={\text{\U0001d5a4\U0001d5c7\U0001d5bc}}_{{\mathrm{pk}}_{R}}\left({S}^{1}\right)$ .$\sigma ={\text{\U0001d5b2\U0001d5c2\U0001d5c0\U0001d5c7}}_{{\mathrm{sk}}_{S}}\left({S}^{2}\right)$ - (4)Calculate
,${K}_{h}=K\oplus \text{\mathit{S}\mathit{p}\mathit{o}\mathit{n}\mathit{g}\mathit{e}}\left(\parallel {S}^{1}{Y}_{1}\right)$ .${T}_{k}=T\oplus K$ - (5)The final output
is sent to the receiver$\left({K}_{h},{Y}_{1},{Y}_{2}=({S}^{2},\sigma ),{T}_{k}\right)$ *R*.

- (1)Calculate (in parallel)
,${S}^{1}={\text{\U0001d5a3\U0001d5be\U0001d5bc}}_{{\mathrm{sk}}_{R}}\left({Y}_{1}\right)$ . Ver returns either valid,$\top /\perp ={\text{\U0001d5b5\U0001d5be\U0001d5cb}}_{{\mathrm{pk}}_{S}}({Y}_{2}=({S}^{2},\sigma ))$ , or$\top $ if the signature is invalid. In case of returning$\perp $ , the decryption and verify algorithm VerDec returns$\perp $ and stops.$\perp $ - (2)If Ver returns
, then calculate$\top $ and$K={K}_{h}\oplus \text{\mathit{S}\mathit{p}\mathit{o}\mathit{n}\mathit{g}\mathit{e}}\left(\parallel {S}^{1}{Y}_{1}\right)$ .$T={T}_{k}\oplus K$ - (3)Set
, and set$C=\parallel {C}^{f}{C}^{e}=\parallel {S}^{1}{S}^{2}$ ,${\mathrm{IV}}_{1}=\parallel {\mathrm{ID}}_{S}{\mathrm{ID}}_{R}$ .${\mathrm{IV}}_{2}={0}^{c}$ - (4)Compute
. Return${M}^{\prime}=\text{SpWrap.Dec}(\parallel KCT,\parallel {\mathrm{IV}}_{1}{\mathrm{IV}}_{2},r,k,{\ell}_{\mathrm{sg}})$ if$M={M}^{\prime}$ ; else return${M}^{\prime}\ne \perp $ .$\perp $

### 4.2 Security of parallel signcryption

Security of signcryption has two facets, namely, IND-CCA security and unforgeability under adaptive chosen message attack (UF-AdA). Before proceeding to the details of our proofs of each part individually, we provide a bird’s eye view of each proof.

*If the encryption scheme is *OW*-*PCA* and the signature scheme is deterministic *uUF*-*RMA*, then the parallel signcryption scheme described in Section 4.1 is *IND*/*UF*-*AdA* secure.*

### Unforgeability

The following lemma can be derived from Theorem 4.1.

*If there exists an adversary *UF

*-*AdA

*security of the parallel signcryption scheme with advantage*${\mathrm{Adv}}_{\text{SignEnc}}^{\text{UF-AdA}}\left(k\right)$ (whose running time is bounded by ${q}_{\pi}^{A}$ queries to the permutation $\pi :{\{0,1\}}^{b=r+c}\to {\{0,1\}}^{b}$ and ${q}_{\mathrm{sc}}$ queries to the signcryption oracle and ${q}_{\mathrm{usc}}$ queries to the unsigncryption oracle), then there exists an adversary $B$ against the uUF

*t*and who makes at most*-*RMA

*security of the signature scheme with advantage*${\mathrm{Adv}}_{\text{Sign}}^{\text{uUF-RMA}}\left(k\right)$ (whose running time is bounded by ${t}^{\prime}\ge t+{q}_{\mathrm{sc}}\left(\tau +O\left(1\right)\right)$ , where τ denotes the maximal running time of the encryption and signing algorithm) for which

*where *

We are dealing with the insider security model; the adversary has a target sender

We make the subsequent changes in the permutation π such that π gives a permutation response for each new query but *r* bits out of the *b*-bit output are random.
Likewise, *c* bits out of the *b* bit output are always different for new input.
The bound of these changes will be *b*-bit and *c*-bit outputs of π.

We start making changes in the SignEnc oracle.
We try to make the output of the SignEnc oracle random by using a random output of π.
We use the message/signature pair list Signlist having *M*.
Finally, SignEnc can respond with random output using a pre-computed Signlist, likewise independent of *K* used during the number of signcryption queries

We modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to the universal forgery on Ver.
Whenever we discuss a forgery, we consider *T* or a target collision on the input of Ver or creating a signature on random input of Sign.

During the unforgeability proof, it is natural to assume that the encryption scheme is following trapdoor one-wayness and its correctness condition.

For a detailed proof, see Appendix A.

We can have the following corollaries from the proof of Lemma 4.2, which are also summarized in Table 2.

*If the encryption scheme follows *OW*-*PCA* and the signature scheme is *uUF*-*RMA*, then the parallel signcryption scheme is *UF*-*AdA.

Corollary 4.3 is a direct implication of Lemma 4.2. This corollary includes both probabilistic and deterministic signature schemes and also encryption schemes.

Corollary 4.4 is a sub-class result of Corollary 4.3, where the deterministic signature scheme follows UF-AdA (or sUF-AdA). This corollary serves as a bridge for our next corollary, Corollary 4.5.

*If the encryption scheme follows *OW*-*PCA*, and the signature scheme is *suUF*-*RMA*, then the parallel signcryption scheme is *UF*-*AdA.

*If the encryption scheme is deterministic and follows one-wayness, and the signature scheme is *suUF*-*RMA*, then the parallel signcryption scheme is *sUF*-*AdA.

Corollaries 4.4 and 4.5 have a difference in achieved security because of the probabilistic and deterministic nature of the encryption scheme.
This is mainly because the encryption scheme that follows OW-PCA includes some probabilistic asymmetric encryption schemes, which have a re-randomization problem.
In re-randomization, for the same input to an asymmetric primitive, a different output value could be generated.
In such a case and because of the insider security model, an adversary attacking the unforgeability of SIGNCRYPT can produce a different sign-ciphertext for the same input message, which is queried earlier.
For example, for a query *K*.
Using insider knowledge and the probabilistic nature of asymmetric encryption, a new, valid output could be *K* and

Unforgeability of SIGNCRYPT under different assumptions on Sign and Encrypt.

Sign | |||

Encrypt | uUF-RMA | suUF-RMA | |

Deterministic | OW-CPA | UF-AdA | sUF-AdA |

Probabilistic | OW-PCA | UF-AdA | UF-AdA |

### Privacy

The following lemma can be derived from Theorem 4.1.

*Consider an adversary *IND

*-*CCA

*security of the parallel signcryption scheme with advantage*${\mathrm{Adv}}_{\text{SIGNCRYPT}}^{\text{IND-CCA}}\left(k\right)$ whose running time is bounded by ${q}_{\pi}$ queries to the permutation $\pi :{\{0,1\}}^{b=r+c}\to {\{0,1\}}^{b}$ oracle and ${q}_{\mathrm{usc}}$ queries to the unsigncryption oracle.
Then there exists an adversary $B$ against the OW

*t*and which makes at most*-*PCA

*security of the public-key encryption scheme with advantage*${\mathrm{Adv}}_{\text{Encrypt}}^{\text{OW-PCA}}\left(k\right)$ and whose running time is bounded by ${t}^{\prime}\le t+{q}_{\mathrm{usc}}\left(\tau +O\left(1\right)\right)$ , where τ denotes the maximal running time of the decryption and verification algorithms, for which

*where *

We are dealing with the insider security model in the multi-user setting; the adversary has a target receiver *d* is the bit that adversary

We make the subsequent changes in the permutation π such that π gives a permutation response for each new query, but *r* bits out of the *b*-bit output are random.
Likewise, *c* bits out of the *b*-bit output are always different for new input.
This part remains the same as for unforgeability.

We modify the unsigncryption oracle such that it nullifies those queries to the unsigncryption oracle about which the adversary does not know an answer in advance with the help of the π query and which can be simulated without using the private key of the receiver *T* for the number of unsigncryption queries

We modify the signcryption oracle using the random response of π.
This will lead to simulating the signcryption oracle returning a random response.
This change will be bounded by the probability of guessing the randomness *K* used by an adversary or the advantage of an OW-PCA adversary breaking the one-wayness (OW).

The privacy proof of the scheme depends upon the probabilistic or deterministic nature of the underlying signature scheme. During the proof, we assume that the signature scheme is deterministic and follows the correctness condition. In subsequent sections, we show how we can remove this assumption on the signature scheme.

For a detailed proof, see Appendix B. After the proof of Lemma 4.6, we can have the following corollaries.

*If the encryption scheme is *OW*-*PCA* and the signature scheme is deterministic, then the parallel signcryption scheme is *IND*-*CCA.

This corollary follows directly from Lemma 4.6.

*If the encryption scheme is deterministic *OW*-*CPA* and the signature scheme is deterministic, then the parallel signcryption scheme is *IND*-*CCA.

This corollary follows a sub-class result of Corollary 4.7, where the deterministic OW-CPA secure encryption scheme also follows OW-PCA.

Next, Corollary 4.9 is another representation of Corollaries 4.7 and 4.8, where we say only suUF-RMA signature schemes are valid for security because a deterministic uUF-RMA secure scheme also follows suUF-RMA.

*If the encryption scheme is deterministic *OW*-*CPA* and the signature scheme *suUF*-*RMA*, then the parallel signcryption scheme is *IND*-*CCA.

Corollaries 4.4 and 4.7 together give Theorem 4.1. Corollaries 4.5 and 4.9 together give the following theorem, Theorem 4.10. A summary of the corollaries related to the privacy proof of SIGNCRYPT is shown in Table 3. A gap in the results, where probabilistic Sign following uUF-RMA does not provide security to SIGNCRYPT will be addressed in the next section.

Privacy of SIGNCRYPT under different combinations of Sign and Encrypt.

Encrypt | ||

Sign | OW-PCA | |

Deterministic | uUF-RMA | IND-CCA |

suUF-RMA | IND-CCA | |

Probabilistic | uUF-RMA | — |

suUF-RMA | IND-CCA |

*If the encryption scheme is deterministic *OW*-*CPA* and the signature scheme is *suUF*-*RMA*, then the parallel signcryption scheme is *IND*/*sUF*-*AdA* secure.*

The proof of this theorem exactly follows the proof of Theorem 4.1, except that we now assume that Sign is suUF-RMA secure and Encrypt is also deterministic OW-CPA.

## 5 Extension of parallel signcryption

In Section 4, we saw two limitations of SIGNCRYPT. First, it does not support probabilistic Sign, where the same input can give two or more different signatures. Second, there is a restriction on the maximum message length. In this section, we discuss how to extend the usage of the parallel signcryption SIGNCRYPT in case of probabilistic Sign and in case of arbitrarily long messages.

### 5.1 Using probabilistic Sign

Probabilistic Signis not supported in the proposed scheme because we assumed Sign is deterministic and, for the same input, two different signatures are not considered.
In cases where a probabilistic Sign scheme needs to be used, IND-CCA security of SIGNCRYPT will no longer be valid under the proposed scenario because now an insider adversary can simply produce another signature σ on *d* of

### Solution 1

Relaxing IND-CCA experiment to IND-gCCA [2]:
Consider the challenged signed ciphertext

This change in the IND-CCA experiment is similar to IND-gCCA proposed in [2]. An, Dodis and Rabin [2] proposed this IND-gCCA notion specifically for signcryption in a more formal way to avoid the trivial attack discussed above. By following the IND-gCCA security experiment in [2], we can propose another corollary from Lemma 4.6.

*If the encryption scheme is *OW*-*PCA* and the signature scheme is unforgeable, then the parallel signcryption scheme is *IND*-*gCCA.

This corollary can be combined with corollaries from Lemma 4.2 and different, new results can be achieved.

### Solution 2

Include σ also as part of the input in *Sponge*.
This inclusion of σ in *Sponge* will bind σ to a particular *K*, *K*.
This change is more simple compared to the IND-gCCA security notion requirement.
This change is initially not included in the proposed scheme with the intention to keep the proof simple and straight.
Inclusion and reason of this proposed change helps in understanding about IND-gCCA and *Sponge*.

### 5.2 Arbitrarily long messages

An arbitrarily long message can be supported in SIGNCRYPT without any major structure modification.
Earlier,

*Caution.* It is essential that if *not**T* using

With this proposed change from solution 2 and support of long messages, we call SIGNCRYPT

Theorem 4.1 can be modified for SIGNCRYPT

*If the encryption scheme is *OW*-*PCA* and the signature scheme is *(uUF,suUF)-RMA*, then the parallel signcryption *SIGNCRYPT* scheme is *IND-CCA/(UF,sUF)-AdA* secure.*

If we follow the proof of Lemma 4.2, after game G5, we can clearly see that the output of π is random.
Following random π, the output *h* of *Sponge* is also random.
Even if the adversary tries to use another σ for the same *h* that leads to random *K* and *T* or *K*.
This case is already included in the proof when

For IND-CCA security of SIGNCRYPT*T* or having knowledge of

Therefore, regarding IND-CCA of SIGNCRYPT*Sponge* is a dummy operation compared to SIGNCRYPT for outputting *T*, but its usage protects σ of Sign and outputs *K*.
This dependency provides IND-CCA security for SIGNCRYPT

## 6 Conclusion

The combination of an encryption and a signature scheme yields a signcryption scheme. The extra burden of satisfying both privacy and unforgeability against insider adversaries increases the complexity of proving that the system is secure and efficient. This complexity brings limitations on the signcryption scheme in terms of the needed security assumptions, security achievement and efficiency to balance each other. Message pre-processing is found to be an attractive way to build a secure and efficient signcryption scheme. These message pre-processing techniques are found to be inflexible, which disallows their improvement in different scenarios like long message length, different types of underlying encryption and signature schemes, insider security, efficient computation in parallel, etc.

The versatile nature of the sponge structure enable us to modify message pre-processing efficiently. This efficient message pre-processing helps us to build a secure signcryption scheme achieving a higher security level using a weakly secure encryption and signature scheme. We also found that the probabilistic and deterministic nature of the signature scheme plays an important role in the privacy of the signcryption scheme, but the same is not true for unforgeability with respect to the encryption scheme. At the end, we were able to find a signcryption scheme that can perform efficiently without compromising its security. The proposed scheme is highly customizable as it allows to use weakly secure schemes and different types of the underlying encryption and signature schemes.

We consider an experiment similar to UF-AdA as described in Section 2.3.
We follow the subsequent experiment for UF-AdA security of SIGNCRYPT against adversary

The advantage of adversary

We use a game-based proof framework [10].
We are dealing with the insider security model; the adversary has a target sender *i* by

Game G0 represents the original signcryption game for UF-AdA.
The adversary issues

From G0 to G4, we make successive changes in the permutation π.
The modified π gives a permutation response for each new query such that *r* bits out of the *b*-bit output are random.
Likewise, *c* bits out of the *b*-bit output are always different for new input.
This helps us to exploit the permutation property of *Sponge* and make an output *C* deterministic for a specific input *K*, *M* and

*Games G1 and G2.*
We start making changes in the permutation π.
In G1, we take the response of π randomly and differently from the previous responses using the set

*Games G3 and G4.*
G3 remains the same as G2.
In G3, we split up the output *v* of π in input rate *v* of π is chosen at random from the previous outputs.
We mark an event as

So, in case of

From G5 to G9, we start making changes in the SignEnc oracle.
We try to make the output of the SignEnc oracle random by using a random output of π.
We use the message/signature pair list Signlist having

*Games G5 and G6.*
G5 is the same as G6.
In G6, in SignEnc, we add a dummy random string

*Games G6 and G7.*
In G7, we change the response of π according to *SpPad.Enc* outputs *M* on *K*.
As we already know, the *r*-bit part of the *b*-bit output of π is random.
Therefore, we can replace the random output *x* of π with another random value

This change of response might fail if the response of the first π call using *K* in SignEnc is already defined by the *K* in SignEnc goes collision free, then all successive responses will be new due to the permutation property.
Therefore, the probability of failure of this response change in G7 for

*Games G7 and G8.*
In G8, we chose a new message/signature pair from Signlist at random.
We replace the chosen message *SpPad*) output.
In G8, before starting to calculate *SpPad* and after generating

*Games G8 and G9.*
In G9, the code remains the same as in G8; instead of calculating

From now on, we start making changes in the VerDec oracle.

*Game G10.*
In G10, we add some dummy lines, which does not affect the UF-CMA experiment of the game, and G10 remains the same as G9.
In G10, we modify the VerDec oracle such that we detect an existential forgery on VerDec and show a reduction to universal forgery on Ver.
Whenever we discuss a forgery, we consider

We set *flag* to a boolean value *old* initially, and set it to *new* in case the input/output response of π during VerDec does not belong to *i*-th query in case *flag* becomes *new*, then one of the values of π in VerDec is new with regard to SignEnc.
In case validation passed for *M* is not queried before SignEnc, and one of the values from

A forgery is assumed to be valid only when

*Game G11.*
In G11, we return

In case validation passed for *M* is not queried before SignEnc, and one of the values from π is freshly defined.
This leads to a target collision on the proposed *T* in the input to VerDec.
This happens with a probability of

*Game G12.*
G12 is the same as G11 except for some dummy lines of code added, shown in dashed boxes.

- •Initially, a random
of length${S}_{j}$ is chosen. In case this${\ell}_{\mathrm{sg}}$ appears in SignEnc during answering a query, we abort SignEnc from answering. The probability of such happening is${S}_{j}$ , and this event is not helpful in the forgery because such a query does not provide any information to adversary$\frac{{q}_{H}}{{2}_{\mathrm{sg}}^{\ell}}$ .$\mathcal{A}$ - •We also mark a dummy event
as${\text{\mathit{b}\mathit{a}\mathit{d}}}_{\mathrm{sign}}$ *true*if, during the VerDec query, and${S}^{2}={S}_{j}$ for${\text{\U0001d5b5\U0001d5be\U0001d5cb}}_{{\mathrm{pk}}_{{S}^{*}}}\left({y}_{2}\right)=\top $ . This event signifies that the adversary has provided a valid signature on a randomly chosen${\mathrm{ID}}_{R}={\mathrm{ID}}_{R}^{*}$ for a targeted${S}^{2}$ of sender and receiver. Later, we show that the probability of such$\mathrm{ID}$ being${\text{\mathit{b}\mathit{a}\mathit{d}}}_{\mathrm{sign}}$ *true*is equivalent to .${\mathrm{Adv}}_{\text{Sign},\mathcal{B}}^{\text{uUF-RMA}}\left(k\right)$ - •We also mark an event as
in case VerDec returns$\text{\mathit{b}\mathit{a}\mathit{d}}\leftarrow \text{\mathit{t}\mathit{r}\mathit{u}\mathit{e}}$ *M*if is true and${I}_{\mathrm{vd}}\subseteq {I}_{\pi}^{\mathcal{A}}$ *flag*is still*old*.

*Game G13.*
In G13, we return *M* in case

The probability of *K*, *T*.
Here comes the part of special addition of an *K* and values of *r*-bit of

The probability of *without* the help of a known message/signature pair by generating a valid signature for random *K*,

Therefore, the adversary needs to produce either a collision over the *r*-bit of

*Games G14 and G13.*
G14 is the same as G13.
G14 is the final ideal game, and we simplify the cases by merging the bad event with the *flag* is set to *new*in case *flag* is *new*.
Return of *M* will happen only if *flag* is *old*and validation of *T* passed.
Now, essentially,

We consider the following experiment for IND-CCA security of SIGNCRYPT against adversary

The advantage of adversary

We are dealing with the insider security model in the multi-user setting; the adversary has a target receiver *d* is the bit the adversary wishes to find out.
Adversary *d* with the advantage ϵ, i.e.,

We will use game-playing techniques [9, 10].
We start from the original CCA game

where *I* by π, *Y* stores the capacity *c*-bit values upon each query to π.

We modify SIGNCRYPT into a sequence of games G0, G1, …, G12 such that

*Games G0 to G5.*
From G0 to G5, exactly the same changes follow as in the proof of Lemma 4.2.
Therefore,

In G5, the game maintains an extra set

*Games G5 and G6.*
Both games are the same.
In G6, a dummy operation of

*Games G6 and G7.*
In G7, in VerDec, we return *M* in case

Let *new* query to π when *old* query when *new* query *b*-bit value.
Therefore, one *new* query makes all subsequent inputs to *new* query, the *r*-bit response of π is random.
Therefore, in case *k*-bit *T* value.
Therefore,

Now if this *bad* event does not happen, then G7 will return *M* only in case all π responses are already known to

*Game G8.*
Both games are the same.
G7 and G8 both return *new* query is given to the VerDec oracle.
In G8, a message *M* is returned only when all the input/output relations of π, which would be possible during the encryption of *M*, are already in *K* and then tries to find all pairs of input/output responses, which reach to *T* via *Due to the insider model, a faithful assumption on the signing algorithm is that, for the same input, two different signatures cannot be generated.
We will discuss the impact of this assumption later, after the proof.*

*Games G8 and G9.*
We start incremental changes in the SIGNCRYPT oracle from G9.
In G9,

Some extra dummy variables

*Games G9 and G10.*
In G9,

*Game G11.*
In G10, during signcryption *r*-bit random output of π.
In G11, we directly allocate random

*Game G12.*
This is the final game of adversary

The probability of

where

Given

where

The last game G12 can be used to simulate adversary *k* bits from the input to Enc on given random *y* and other public information.
∎

## References

- [1]↑
M. Abe, R. Gennaro and K. Kurosawa, Tag-KEM/DEM: A new framework for hybrid encryption, J. Cryptology 21 (2008), no. 1, 97–130.

- [2]↑
J. H. An, Y. Dodis and T. Rabin, On the security of joint signature and encryption, Advances in Cryptology – EUROCRYPT 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 83–107.

- [3]↑
C. Badertscher, F. Banfi and U. Maurer, A constructive perspective on signcryption security, Security and Cryptography for Networks – SCN 2018 Lecture Notes in Comput. Sci. 11035, Springer, Berlin (2018), 102–120.

- [4]↑
J. Baek, R. Steinfeld and Y. Zheng, Formal proofs for the security of signcryption, Public Key Cryptography – PKC 2002 Lecture Notes in Comput. Sci. 2274, Springer, Berlin (2002), 80–98.

- [5]↑
J. Baek, W. Susilo, J. K. Liu and J. Zhou, A new variant of the Cramer–Shoup KEM secure against chosen ciphertext attack, Applied Cryptography and Network Security – ACNS 2009 Lecture Notes in Comput. Sci. 5536, Springer, Berlin (2009), 143–155.

- [6]↑
T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015 Lecture Notes in Comput. Sci. 9144, Springer, Berlin (2015), 93–106.

- [7]↑
M. Bellare and P. Rogaway, Optimal asymmetric encryption, Advances in Cryptology – EUROCRYPT 1994, Lecture Notes in Comput. Sci. 950, Springer, Berlin (1995), 92–111.

- [8]↑
M. Bellare and P. Rogaway, The exact security of digital signatures - how to sign with RSA and rabin, Advances in Cryptology – EUROCRYPT 1996, Lecture Notes in Comput. Sci. 1070, Springer, Berlin (1996), 399–416.

- [9]↑
M. Bellare and P. Rogaway, Code-based game-playing proofs and the security of triple encryption, preprint (2004), http://eprint.iacr.org/2004/331.

- [10]↑
M. Bellare and P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, Advances in Cryptology – EUROCRYPT 2006, Lecture Notes in Comput. Sci. 4004, Springer, Berlin (2006), 409–426.

- [11]↑
G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Duplexing the sponge: Single-pass authenticated encryption and other applications, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2011), 320–337.

- [12]↑
G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Permutation-based encryption, authentication and authenticated encryption, preprint (2012).

- [13]↑
G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, Keccak, Advances in Cryptology – EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Berlin (2013), 313–314.

- [14]↑
T. E. Bjørstad and A. W. Dent, Building better signcryption schemes with tag-kems, Public Key Cryptography – PKC 2006, Lecture Notes in Comput. Sci. 3958, Springer, Berlin (2006), 491–507.

- [15]↑
T. E. Bjørstad, A. W. Dent and N. P. Smart, Efficient KEMs with partial message recovery, Cryptography and Coding, Lecture Notes in Comput. Sci. 4887, Springer, Berlin (2007), 233–256.

- [16]↑
D. Chiba, T. Matsuda, J. C. N. Schuldt and K. Matsuura, Efficient generic constructions of signcryption with insider security in the multi-user setting, Applied Cryptography and Network Security – ACNS 2011, Lecture Notes in Comput. Sci. 6715, Springer, Berlin (2011), 220–237.

- [17]↑
R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Advances in Cryptology – Crypto 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 13–25.

- [18]↑
A. W. Dent, A designer’s guide to KEMs, Cryptography and Coding, Lecture Notes in Comput. Sci. 2898, Springer, Berlin (2003), 133–151.

- [19]↑
A. W. Dent, Hybrid signcryption schemes with insider security, Information Security and Privacy – ACISP 2005, Lecture Notes in Comput. Sci. 3574, Springer, Berlin (2005), 253–266.

- [20]↑
A. W. Dent, Hybrid signcryption schemes with outsider security, Information Security – ISC 2005, Lecture Notes in Comput. Sci. 3650, Springer, Berlin (2005), 203–217.

- [22]↑
Y. Dodis, M. J. Freedman, S. Jarecki and S. Walfish, Versatile padding schemes for joint signature and encryption, Proceedings of the 11th ACM Conference on Computer and Communications Security – CCS’04, ACM, New York (2004), 344–353.

- [23]↑
Y. Dodis, M. J. Freedman and S. Walfish, Parallel signcryption with oaep, pss-r, and other feistel paddings, preprint (2003), http://eprint.iacr.org/2003/043.

- [24]↑
E. Fujisaki and T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, J. Cryptology 26 (2013), no. 1, 80–101.

- [25]↑
T. E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory 31 (1985), no. 4, 469–472.

- [26]↑
M. P. Guido Bertoni, Joan Daemen and G. V. Assche, Sponge functions, ECRYPT Hash Function Workshop, 2007.

- [27]↑
E. Kiltz, Chosen-ciphertext security from tag-based encryption, Theory of Cryptography – TCC 2006, Lecture Notes in Comput. Sci. 3876, Springer, Berlin (2006), 581–600.

- [28]↑
K. Kurosawa and Y. Desmedt, A new paradigm of hybrid encryption scheme, Advances in Cryptology – CRYPTO 2004, Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 426–442.

- [29]↑
B. Libert and J. Quisquater, Efficient signcryption with key privacy from gap diffie-hellman groups, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 187–200.

- [30]↑
J. Malone-Lee and W. Mao, Two birds one stone: Signcryption using RSA, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci. 2612, Springer, Berlin (2003), 211–225.

- [31]↑
T. Matsuda, K. Matsuura and J. C. N. Schuldt, Efficient constructions of signcryption schemes and signcryption composability, Progress in Cryptology – INDOCRYPT 2009, Lecture Notes in Comput. Sci. 5922, Springer, Berlin (2009), 321–342.

- [32]↑
T. Okamoto and D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, Topics in Cryptology – CT-RSA 2001, Lecture Notes in Comput. Sci. 2020, Springer, Berlin (2001), 159–175.

- [33]↑
J. Pieprzyk and D. Pointcheval, Parallel authentication and public-key encryption, Information Security and Privacy – ACISP 2003, Lecture Notes in Comput. Sci. 2727, Springer, Berlin (2003), 387–401.

- [34]↑
J. Pieprzyk and D. Pointcheval, Parallel signcryption, Practical Signcryption, Springer, Berlin (2010), 175–192.

- [36]↑
R. Steinfeld and Y. Zheng, A signcryption scheme based on integer factorization, Information Security – ISW 2000, Lecture Notes in Comput. Sci. 1975, Springer, Berlin (2000), 308–322.

- [37]↑
C. H. Tan, Signcryption scheme in multi-user setting without random oracles, Advances in Information and Computer Security – IWSEC 2008, Lecture Notes in Comput. Sci. 5312, Springer, Berlin (2008), 64–82.

- [38]↑
Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption)<<cost(signature) + cost(encryption), Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 165–179.

- [39]↑
SHA3 Hash function competition, 2007; http://csrc.nist.gov/groups/ST/hash/sha-3/index.html, last visited 02-Jan-2017.