Find in Library

In 2002, An et al. [1] proposed three generic conversions of signcryption, ℰ⁢t⁢𝒮${\mathcal{E}t\mathcal{S}}$, 𝒮⁢t⁢ℰ${\mathcal{S}t\mathcal{E}}$ and 𝒞⁢t⁢ℰ&𝒮${\mathcal{C}t\mathcal{E}\&\mathcal{S}}$ from the primitive encryption scheme and signature scheme. But, the security proof of confidentiality in the 𝒞⁢t⁢ℰ&𝒮${\mathcal{C}t\mathcal{E}\&\mathcal{S}}$ paradigm was ambiguous. In this paper, we revisit these paradigms again and provide a more transparent proof for the aforementioned paradigm. None of these paradigms preserves both stronger securities: strong unforgeability and IND-CCA security. We extend the above paradigms to new signcryption paradigms, ℰ⁢t⁢𝒮⁢t⁢𝒮${\mathcal{E}t\mathcal{S}t\mathcal{S}}$, 𝒮⁢t⁢ℰ⁢t⁢𝒮${\mathcal{S}t\mathcal{E}t\mathcal{S}}$ and 𝒞⁢t⁢ℰ&𝒮⁢t⁢𝒮${\mathcal{C}t\mathcal{E}\&\mathcal{S}t\mathcal{S}}$, by applying one-time signature (OTS) cautiously at the outside layer. In these new paradigms, the stronger security of the primitive encryption and signature schemes are maintained. We also obtain a new paradigm, “Encrypt and Sign then Sign (ℰ&𝒮⁢t⁢𝒮${\mathcal{E}\&\mathcal{S}t\mathcal{S}}$)”, which is surprisingly better than the 𝒞⁢t⁢ℰ&𝒮⁢t⁢𝒮${\mathcal{C}t\mathcal{E}\&\mathcal{S}t\mathcal{S}}$ paradigm in all aspects except that ℰ&𝒮⁢t⁢𝒮${\mathcal{E}\&\mathcal{S}t\mathcal{S}}$ does not guarantee the non-repudiation. Moreover, the IND-CCA security and strong unforgeability of the proposed signcryptions are achieved from the IND-gCCA secure encryption scheme and weak unforgeable signature scheme, respectively. Further, we extend these paradigms to capture signcryptions in attribute-based setting, also known as attribute-based signcryption (ABSC). We show that the IND-CCA security and strong unforgeability under chosen message attack of ABSC can be obtained from IND-CPA security of ABE and unforgeability under no message attack of ABS, respectively. Furthermore, our generic constructions are applicable to a combined setup, where the public parameters and keys for the primitives ABS and ABE are identical. The security of all the generic constructions is proven in the standard model.