We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encrypt-then-sign” (EtS) and “sign-then-encrypt” (StE) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call “commit-then-encrypt-and-sign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hash-sign-switch” technique of [30], leading to efficient on-line/off-line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-ecurity (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering from the definitional shortcomings of the latter.

In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-encryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new re-encryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy reencryption as a method of adding access control to the SFS read-only file system. Performance measurements of our experimental file system demonstrate that proxy re-encryption can work effectively in practice.

Abstract. Signcryption is a public key primitive proposed by Zheng [14] to achieve the combined functionality of digital signature and encryption in an efficient manner. We present a signcryption scheme based on RSA and provide proofs of security in the random oracle model [6] for its privacy and unforgeability. Both proofs are under the assumption that inverting the RSA function is hard. Our scheme has two appealing aspects to it. First of all it produces compact ciphertexts. Secondly it offers non-repudiation in a very straightforward manner. 1

Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b | ≪ |m|, which we call a “non-trivial ” concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public- or symmetric-key) designed

Signcryption schemes aim to provide all of the advantages of simultaneously signing and encrypting a message. Recently, Dent [8, 9] and Bjørstad [4] investigated the possibility of constructing provably secure signcryption schemes using hybrid KEM-DEM techniques [7]. We build on this work by showing that more efficient insider secure hybrid signcryption schemes can be built using tag-KEMs [1]. To prove the effectiveness of this construction, we will provide several examples of secure signcryption tag-KEMs, including a brand new construction based on the Chevallier-Mames signature scheme [5] which has the tightest known security reductions for both confidentiality and unforgeability.

Abstract. The question of constructing a hybrid signcryption scheme with outside security was considered by Dent [7]. That paper also demonstrated that the basic hybrid construction formalised by Cramer and Shoup [5, 9] is incapable of producing a signcryption scheme with insider security. This paper provides a paradigm for constructing signcryption schemes with insider security based on the ideas of hybrid cryptography. 1

Signcryption [35] is a public key primitive that achieves the functionality of both an encryption scheme and a signature scheme simultaneously. It does this more efficiently than a composition of public key encryption and public key signature.

We investigate how to construct secure cryptographic schemes, from few candidate schemes, some of which may be insecure. Namely, tolerant constructions tolerate the insecurity of some of the component schemes used in the construction. We define tolerant constructions, and investigate folklore, practical cascade and parallel constructions. We prove cascade of encryption schemes provide tolerance for indistinguishability under chosen ciphertext attacks, including a weak adaptive variant. Similarly, certain parallel constructions ensure tolerance for unforgeability of Signature/MAC schemes, OWF, ERF, AONT and certain collision-resistant hash functions. We present (new) tolerant constructions for (several variants of) commitment schemes. Our constructions are simple, efficient and practical. To ensure practicality, we use concrete security analysis (in addition to the simpler asymptotic analysis).

Abstract. Ring signcryption is an anonymous signcryption which allows a user to anonymously signcrypt a message on behalf of a set of users including himself. In an ordinary ring signcryption scheme, even if a user of the ring generates a signcryption, he also cannot prove that the signcryption was produced by himself. In 2008, Zhang, Yang, Zhu, and Zhang solve the problem by introducing an identity-based authenticatable ring signcryption scheme (denoted as the ZYZZ scheme). In the ZYZZ scheme, the actual signcrypter can prove that the ciphertext is generated by himself, and the others cannot authenticate it. However, in this paper, we show that the ZYZZ scheme is not secure against chosen plaintext attacks. Furthermore, we propose an improved scheme that remedies the weakness of the ZYZZ scheme. The improved scheme has shorter ciphertext size than the ZYZZ scheme. We then prove that the improved scheme satisfies confidentiality, unforgeability, anonymity and authenticatability. Keywords: Identity-based cryptography, bilinear pairings, ring signcryption, ring signature. 1

Abstract. Signcryption is a new cryptographic primitive that performs signing and encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we present a security analysis of two such schemes: the Huang-Chang convertible signcryption scheme [12], and the Kwak-Moon group signcryption scheme [13]. Our results show that both schemes are insecure. Specifically, the Huang-Chang scheme fails to provide confidentiality, while the Kwak-Moon scheme does not satisfy the properties of unforgeability, coalition-resistance, and traceability.