Signcryption

Last updated January 29, 2025

In cryptography, signcryption is a public-key primitive that simultaneously performs the functions of both digital signature and encryption.

Background

Encryption and digital signature are two fundamental cryptographic tools that can guarantee the confidentiality, integrity, and non-repudiation. Until 1997, they were viewed as important but distinct building blocks of various cryptographic systems. In public key schemes, a traditional method is to digitally sign a message then followed by an encryption (signature-then-encryption) that can have two problems: Low efficiency and high cost of such summation, and the case that any arbitrary scheme cannot guarantee security. Signcryption is a relatively new cryptographic technique that is supposed to perform the functions of digital signature and encryption in a single logical step and can effectively decrease the computational costs and communication overheads in comparison with the traditional signature-then-encryption schemes.

Signcryption provides the properties of both digital signatures and encryption schemes in a way that is more efficient than signing and encrypting separately. This means that at least some aspect of its efficiency (for example the computation time) is better than any hybrid of digital signature and encryption schemes, under a particular model of security. Note that sometimes hybrid encryption can be employed instead of simple encryption, and a single session-key reused for several encryptions to achieve better overall efficiency across many signature-encryptions than a signcryption scheme but the session-key reuse causes the system to lose security under even the relatively weak CPA model. This is the reason why a random session key is used for each message in a hybrid encryption scheme but for a given level of security (i.e., a given model, say CPA), a signcryption scheme should be more efficient than any simple signature-hybrid encryption combination.

History

The first signcryption scheme was introduced by Yuliang Zheng in 1997.^[1] Zheng also proposed an elliptic curve-based signcryption scheme that saves 58% of computational and 40% of communication costs when it is compared with the traditional elliptic curve-based signature-then-encryption schemes.^[2] There are also many other signcryption schemes that have been proposed throughout the years, each of them having its own problems and limitations, while offering different levels of security and computational costs.

Structure and goals

A signcryption scheme typically consists of three algorithms: Key Generation (Gen), Signcryption (SC), and Unsigncryption (USC). Gen generates a pair of keys for any user, SC is generally a probabilistic algorithm, and USC is most likely deterministic. Any signcryption scheme should have the following properties:^[3]

Correctness: Any signcryption scheme should be verifiably correct.
Efficiency: The computational costs and communication overheads of a signcryption scheme should be smaller than those of the best known signature-then-encryption schemes with the same provided functionalities.
Security: A signcryption scheme should simultaneously fulfill the security attributes of an encryption scheme and those of a digital signature. Such additional properties mainly include: Confidentiality, Unforgeability, Integrity, and Non-repudiation. Some signcryption schemes provide further attributes such as Public verifiability and Forward secrecy of message confidentiality while the others do not provide them. Such properties are the attributes that are required in many applications while the others may not require them. Hereunder, the above-mentioned attributes are briefly described.
- Confidentiality: It should be computationally infeasible for an adaptive attacker to gain any partial information on the contents of a signcrypted text, without knowledge of the sender's or designated recipient's private key.
- Unforgeability: It should be computationally infeasible for an adaptive attacker to masquerade as an honest sender in creating an authentic signcrypted text that can be accepted by the unsigncryption algorithm.
- Non-repudiation: The recipient should have the ability to prove to a third party (e.g. a judge) that the sender has sent the signcrypted text. This ensures that the sender cannot deny his previously signcrypted texts.
- Integrity: The recipient should be able to verify that the received message is the original one that was sent by the sender.
- Public verifiability: Any third party without any need for the private key of sender or recipient can verify that the signcrypted text is the valid signcryption of its corresponding message.
- Forward secrecy of message confidentiality: If the long-term private key of the sender is compromised, no one should be able to extract the plaintext of previously signcrypted texts. In a regular signcryption scheme, when the long-term private key is compromised, all the previously issued signatures will not be trustworthy any more. Since the threat of key exposure is becoming more acute as the cryptographic computations are performed more frequently on poorly protected devices such as mobile phones, forward secrecy seems an essential attribute in such systems.

Schemes

Example signcryption schemes include:

Zheng 1997's system based on ElGamal encryption,^[1] and the 1998 elliptic curve version.^[2]

Applications

Signcryption is seen^{[ citation needed ]} to have several applications including the following:

Secure and authentic email.
E-commerce and M-commerce applications that often require confidentiality, authenticity, and perhaps non-repudiation.

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

In cryptography, encryption is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security. There are many kinds of public-key cryptosystems, with different security goals, including digital signature, Diffie-Hellman key exchange, public-key key encapsulation, and public-key encryption.

In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.

Articles related to cryptography include:

Identity-based encryption (IBE), is an important primitive of identity-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, it is used to confirm that the message came from the stated sender and has not been changed. The MAC value allows verifiers to detect any changes to the message content.

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping, but not necessarily resistant to tampering. An authentic channel is a means of data transmission that is resistant to tampering but not necessarily resistant to overhearing.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

Yuliang Zheng is the Chair of the Department of Computer and Information Sciences at the University of Alabama at Birmingham. He is best known for inventing the Signcryption cryptographic primitive that combines the digital signature and encryption operations into one single step. He also invented the HAVAL hash function, SPEED cipher, and STRANDOM pseudo-random number generator.

IEEE P1363 is an Institute of Electrical and Electronics Engineers (IEEE) standardization project for public-key cryptography. It includes specifications for:

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

A BLS digital signature, also known as Boneh–Lynn–Shacham (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer. Most widely-used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

SM9 is a Chinese national cryptography standard for Identity Based Cryptography issued by the Chinese State Cryptographic Authority in March 2016. It is represented by the Chinese National Cryptography Standard (Guomi), GM/T 0044-2016 SM9. The standard contains the following components:

References

1 2 Zheng, Yuliang (1997). "Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption)". Advances in Cryptology — CRYPTO '97. Lecture Notes in Computer Science. Vol. 1294. pp. 165–179. doi:10.1007/BFb0052234. ISBN 978-3-540-63384-6.
1 2 Zheng, Yuliang; Imai, Hideki (1998). "How to construct efficient signcryption schemes on elliptic curves". Information Processing Letters. 68 (5): 227–233. doi:10.1016/S0020-0190(98)00167-7.
↑ Toorani, M.; Beheshti, A. A. (January 2010). "Cryptanalysis of an Elliptic Curve-based Signcryption Scheme". International Journal of Network Security. 10 (1): 1–56. arXiv: 1004.3521 .

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[zheng97-1] 1 2 Zheng, Yuliang (1997). "Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption)". Advances in Cryptology — CRYPTO '97. Lecture Notes in Computer Science. Vol. 1294. pp. 165–179. doi:10.1007/BFb0052234. ISBN 978-3-540-63384-6.

[zheng98-2] 1 2 Zheng, Yuliang; Imai, Hideki (1998). "How to construct efficient signcryption schemes on elliptic curves". Information Processing Letters. 68 (5): 227–233. doi:10.1016/S0020-0190(98)00167-7.

[Toorani-3] Toorani, M.; Beheshti, A. A. (January 2010). "Cryptanalysis of an Elliptic Curve-based Signcryption Scheme". International Journal of Network Security. 10 (1): 1–56. arXiv: 1004.3521 .

[1]

[2]

[3]