Digital Signcryption

Signcryption is a new cryptographic primitive which simultaneously provides both confidentiality and authenticity. Previously, these two goals had been considered separately, with encryption schemes providing confidentiality and signature schemes providing authenticity. In cases where both were required, the encryption and signature operations were simply sequentially composed. In 1997, Zheng demonstrated that by combining both goals into a single primitive, it is possible to achieve significant savings both in computational and communication overhead. Since then, a wide variety of signcryption schemes have been proposed. In this thesis, we present a number of the proposed signcryption schemes in terms of a common framework. For the most part, the material has been previously presented in various research papers, but some previously omitted proofs have been filled in here. We begin by giving a formal definition of the signcryption primitive, complete with a security model. Then we look at some of the various proposed signcryption schemes, and consider their relative advantages and disadvantages. Finally, we look ahead at what future progress might be made in the field

Parallel Signcryption with OAEP, PSS-R and other Feistel Paddings. 2003. Available at http://eprint.iacr.org/2003/043

We present a new, elegant composition method for joint signature and encryption, also referred to as signcryption. The new method, which we call Padding-based Parallel Signcryption (PbPS), builds an efficient signcryption scheme from any family of trapdoor permutations, such as RSA. Each user U generates a single public/secret key pair fU/f −1 U used for both sending and receiving the data. To signcrypt a message m to a recipient with key frcv, a sender with key fsnd efficiently transforms m into a pair 〈w, s〉, and simply sends frcv(w)�f −1 snd (s). PbPS enjoys many attractive properties: simplicity, efficiency, generality, parallelism of “encrypting”/“signing”, optimal exact security, flexible and ad-hoc key management, key reuse for sending/receiving data, optimally-low message expansion, long message and associated data support, and, finally, complete compatibility with the PKCS#1 infrastructure. The pairs 〈w, s 〉 sufficient for the security of PbPS are called universal two-padding schemes. Using one round of the Feistel transform, we give a very general construction of such schemes. Interestingly, we notice that all popular padding schemes with message recovery used for plain signature or encryption, suc