Skip to main content

Über dieses Buch

This monograph gives a thorough treatment of the celebrated compositions of signature and encryption that allow for verifiability, that is, to efficiently prove properties about the encrypted data.

This study is provided in the context of two cryptographic primitives: (1) designated confirmer signatures, an opaque signature which was introduced to control the proliferation of certified copies of documents, and (2) signcryption, a primitive that offers privacy and authenticity at once in an efficient way.

This book is a useful resource to researchers in cryptology and information security, graduate and PhD students, and security professionals.





Chapter 1. Preliminaries

This chapter serves an elementary-level introduction for the book. Section 1.1 introduces the most basic cryptographic primitives, namely digital signatures, public-key encryption including hybrid encryption (key/data encapsulation mechanisms) and tag-based encryption, and finally commitment schemes. The presentation of the primitives provides also the formal security notions that are needed later in our study. The following two sections consider an important notion of modern cryptography that is reductionist security: Sect. 1.2 recalls the frequently used intractable problems in cryptography, and Sect. 1.3 carries on the presentation of the basic tools used to gain confidence in cryptographic systems. Finally, Sect. 1.4 tackles an important cryptographic mechanism, needed in many real-life applications, that allows to conduct proofs without revealing more than the veracity of the proven statement.

Laila El Aimani

Chapter 2. Case-Study Primitives

This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.

Laila El Aimani

The “Sign_then_Encrypt” (StE) Paradigm


Chapter 3. Analysis of StE

StE consists, in case of confirmer signatures, in first signing the message, then encrypting the resulting signature. In case of signcryption, the encryption is conducted on both the message and the produced signature. The construction was first formally (The idea without proof was already known, for instance, it was mentioned in Damgård and Pedersen (New convertible undeniable signature schemes. In: Maurer UM (ed) Advances in cryptology - EUROCRYPT’96. LNCS, vol 1070. Springer, Heidelberg, pp 372–386, 1996).) described for confirmer signatures in Camenisch and Michels (Confirmer signature schemes secure against adaptative adversaries. In: Preneel B (ed) Advances in cryptology - EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 243–258, 2000), and it suffered the resort to concurrent zero-knowledge (ZK) proofs of general NP statements in the confirmation/denial protocol (i.e. proving knowledge of the decryption of a ciphertext, and that this decryption forms a valid signature on the given message). In this chapter, we analyze the exact security of StE; i.e. we specify the necessary and sufficient assumptions on the components that lead to secure constructions. We examine, on the way, the conjectured security of a celebrated confirmer signature derived from StE, which was left as open problem for more than a decade. Although the results are all stated for confirmer signatures, they can be straightforwardly extended to the signcryption case.

Laila El Aimani

Chapter 4. An Efficient Variant of StE

The study conducted in the previous chapter concludes that the basic StE paradigm imposes IND-PCA secure encryption in order to reach invisibility. This condition on the base encryption excludes a class of encryption schemes that allows for a great efficiency of the confirmation/denial protocols. In this chapter, we propose an effective variation of StE; we demonstrate its efficiency by explicitly describing the confirmation/denial protocols when the building blocks are instantiated from a large class of signature/encryption schemes. The modification we propose applies only to the confirmer signature case; we refer to Chap. 7 for an alternative paradigm for verifiable signcryption.

Laila El Aimani

The “Commit_then_Encrypt_and_Sign” (CtEaS) Paradigm


Chapter 5. Analysis of CtEaS

Efficient as the (new) StEnew StE is, it can only be used with a restricted class of signatures in order to allow effective verification. The Commit_then_Encrypt_and_Sign (CtEaS) paradigm has the merit of accepting any signature among its building blocks without compromising the verification protocols. In this chapter, we investigate this method by determining the exact security property needed for the encryption to achieve secure constructions. Our study, conducted for confirmer signatures, applies also to signcryption.

Laila El Aimani

Chapter 6. CtEtS: An Efficient Variant of CtEaS

The CtEaS paradigm suffers an intrinsic weakness consisting in the possibility of producing a confirmer signature without knowledge of the signing key. This makes the paradigm rest on strong encryption (PCA secure), and rules out consequently homomorphic encryption which is known for propping up verification. In this chapter, we annihilate this weakness and demonstrate the efficiency of the resulting construction by describing many concrete instantiations. Our modification applies only to confirmer signatures (see Chap. 7 for the details). We further shed light on a special instance of CtEaS, namely Encrypt_then_Sign (EtS), which can be very useful in situations where a trusted party is available.

Laila El Aimani

New Paradigms


Chapter 7. EtStE: A New Paradigm for Verifiable Signcryption

The new StE or CtEtS paradigms, proposed earlier, proved to provide very efficient confirmer signatures. Unfortunately, when applied to verifiable signcryption, these paradigms fail to give similar results. The reason lies in the fact that encryptions are produced on the message, to be signcrypted, in addition to other strings (signatures or decommitments), which renders verification ineffective. The subject of this chapter is a new paradigm for verifiable signcryption which combines the merits of the classical paradigms while avoiding their drawbacks.

Laila El Aimani

Chapter 8. Multi-User Security

Hitherto, we have considered only a network of two users: signer/confirmer in case of confirmer signatures, and sender/receiver in the signcryption case. This setting is too simplistic to represent reality, where it is customary to have a network of many users that want to exchange signcrypted messages. Also, it is not uncommon in case of confirmer signatures, to have many signers that share the same confirmer, or conversely a signer who has many confirmers. We tackle in this chapter the issue of multi-user security; we first describe the concerns that arise in this extended model, then we formalize these issues in new security definitions, and finally, we give the new analogs of StE, CtEtS, and EtS in the multi-user setting.

Laila El Aimani

Chapter 9. Insider Privacy

So far, privacy (invisibility/confidentiality) of the case-study primitives was considered in the outsider model. This explains the success in “amplifying” security of the “base” encryption; i.e. building from CPA secure encryption (wCCA secure encryption in the multi-user setting) CCA secure confirmer signatures or signcryption. Such an amplification cannot hold in the insider model since the adversary is given the signing key and can compute valid confirmer signatures/signcryptions on messages of his choosing and then submit them for verification/decryption. Therefore, the best and most optimistic result we can hope for is to at least preserve security and base the CCA security of our primitives on the CCA security of the underlying encryption.In addition to the expensive cost of CCA secure encryption, another caveat consists in impeding verifiability as (partially) homomorphic encryption is no longer allowed in the design. It is therefore imperative to look for an alternative encryption that allows to efficiently prove knowledge of a decryption while enjoying CCA security. In this chapter, we investigate the methods used to upgrade security in public-key encryption, and adapt them to design insider-secure confirmer signatures and signcryptions without compromising verifiability.

Laila El Aimani

Chapter 10. Wrap-Up

Among the panoply of cryptographic applications that erupted with the electronic era, we confined ourselves to the study of applications that require integrity and authenticity of the transmitted data, in addition to confidentiality combined with the possibility of proving given properties about the hidden information. Our study was conducted in the context of two cryptographic primitives, namely confirmer signatures and signcryption. However, we expect the approach to be extended, at least partially, to further cryptographic systems that hinge upon digital signatures and verifiable encryption. In this summary, we highlight the key steps of our work that are likely to occur when studying the aforementioned systems.

Laila El Aimani


Weitere Informationen

Premium Partner

Neuer Inhalt

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.



Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!