Building Better
Signcryption Schemes
with Tag-KEMs
Tor E. Bjørstad and Alexander W. Dent
University of Bergen, Norway
Royal Holloway, University of London, U.K.
Signcryption


Introduced by Zheng in 1997.
Combines the advantages of public-key
encryption and digital signatures:
–
–
–


Confidentiality
Integrity/Origin authentiction
Non-repudiation?
A relatively new type of primitive.
Two competing security models.
2
Signcryption
Common Parameter
Generation
Sender Key
Generation
(pkS,skS)
Signcryption of
message m using
pkR and skS
Receiver Key
Generation
(pkR,skR)
Unsigncryption of
signcryption C using
pkS and skR
3
Signcryption



An, Dodis and Rabin (2002) security model.
Two user model.
Outsider security
–

Insider security
–

Security against attacks made by third parties, i.e.
anyone who isn’t the sender or the receiver.
Full security, prevents attacks against the integrity of
the scheme made by the receiver.
Baek, Steinfeld and Zheng (2002) model.
4
Signcryption

Confidentiality. No third party should be able to
learn any information about the message from
the signcryption.
–

IND security against attacker with encryption and
decryption oracles.
Integrity. No party should be able to forge
ciphertexts that purport to be from the sender.
–
Existential unforgability against attacker with the
private key of the receiver and an encryption oracle.
5
Hybrid Signcryption




Adapts a well-known technique in public-key
encryption schemes.
Involves using symmetric algorithms as
subroutines in public-key schemes.
Typically involves randomly generating a
symmetric key and an asymmetric encryption
of that key.
Formalised for an encryption scheme by
Cramer and Shoup (1998).
6
Hybrid Signcryption



Elegant solution for hybrid signcryption with
outsider security proposed in ISC 2005.
Messy but workable solution for hybrid
signcryption with insider security proposed in
ACISP 2005.
Poor security reduction involving multiple terms
–
–
Confidentiality relies on the KEM being unforgeable.
We propose an elegant new solution using the TagKEM ideas of Abe et al (2005).
7
Tag-KEMs




A public/private key
generation algorithm.
A symmetric key
generation algorithm.
An encapsulation
algorithm.
A decapsulation
algorithm.
pk
tag
ω
Sym
K
Encap
C tag sk
C
Decap
K
8
Tag-KEMs

Combine with a (passively secure) symmetric
encryption scheme to give a (strongly secure)
asymmetric encryption scheme.
pk
ω
Sym
K
m
ENC
Encap
C1
tag
C2
9
Tag-KEMs


Decryption works in
the obvious way.
Note that C2 is acting
both as the tag that
allows the recovery
of K and as the
encryption of m.
sk
C1
C2
Decap
K
DEC
m
10
Signcryption Tag-KEMs
pk
ω
Sym
K
m
ENC
Encap
C1
tag
C2
11
Signcryption Tag-KEMs
skS
pkR
ω
Sym
K
Encap
C1
tag
Confidentiality proven in
the same way as in for
Tom get integrityENC
protection wepublic-key
must insist
thatC2it is it
encryption:
infeasible to produce a pair
(tag,C
) where Cto
must
be 1infeasible
1 gain
decapsulates properly to give any
a key
K with theabout
given a
information
tag – in other words C1 acts as
a strongly
secure
symmetric
key
from its
signature on tag.encapsulation.
12
Signcryption Tag-KEMs


Many existing signcryption schemes can be
thought of as using SCTKs implicitly.
We show Zheng’s scheme can be proven
secure as a signcryption Tag-KEM.
–
The security reduction for confidentiality is:
2 AdvGDH  AdvDEM
–
In the KEM case, this was:
4 AdvGDH  AdvDEM  2qH AdvDL
13
Signcryption Tag-KEMs


We also propose a new signcryption scheme
based on the Chevallier-Mames signature
scheme (2005).
This has the tightest security bounds of any
signcryption scheme we could find:
–
–

Tight reduction to GDH for confidentiality
Tight reduction to CDH for integrity
Reasonably efficient.
14
Open Problems


Non-repudiation presents an interesting
challenge. Does the existence of the symmetric
key K help with non-repudiation?
Signcryption Tag-KEMs are very similar to
signature schemes. Can we find a method for
turning a general signature scheme into a
signcryption scheme? How about a FiatShamir signature scheme?
15
Conclusions

We presented a new paradigm for constructing
signcryption schemes, which
–
–


Has all the advantages associated with hybrid encryption,
Does not have the disadvantages of previous attempts to
produce hybrid signcryption paradigms.
We presented two schemes in this model, including a
completely new scheme with the best known security
bounds of any signcryption scheme.
We also discuss (in the paper) the use of SCTKs as a
key agreement mechanism.
16