Digital Signcryption

by
Clayton D. Smith
A thesis
presented to the University of Waterloo
in fullment of the
thesis requirement for the degree of
Master of Mathematics
in
Combinatorics and Optimization
Waterloo, Ontario, Canada, 2005
c _Clayton D. Smith 2005
I hereby declare that I am the sole author of this thesis. This is a true
copy of the thesis, including any required nal revisions, as accepted by my
examiners.
I understand that my thesis may be made electronically available to the
public.
ii
Abstract
Signcryption is a new cryptographic primitive which simultaneously provides
both condentiality and authenticity. Previously, these two goals had been
considered separately, with encryption schemes providing condentiality and
signature schemes providing authenticity. In cases where both were required,
the encryption and signature operations were simply sequentially composed.
In 1997, Zheng demonstrated that by combining both goals into a single
primitive, it is possible to achieve signicant savings both in computational
and communication overhead. Since then, a wide variety of signcryption
schemes have been proposed.
In this thesis, we present a number of the proposed signcryption schemes
in terms of a common framework. For the most part, the material has been
previously presented in various research papers, but some previously omitted
proofs have been lled in here. We begin by giving a formal denition of
the signcryption primitive, complete with a security model. Then we look
at some of the various proposed signcryption schemes, and consider their
relative advantages and disadvantages. Finally, we look ahead at what future
progress might be made in the eld.
iii
Acknowledgements
I would like to thank my supervisor, Edlyn Teske, for proposing the topic
of signcryption, as well as providing numerous comments, suggestions, and
corrections during the writing of this thesis. I would also like to thank
Yevgeniy Dodis for his very prompt response to my questions regarding his
paper. Finally, I would like to thank my readers, Alfred Menezes and Doug
Stinson, for their valuable comments and corrections.
iv
Contents
1 Introduction 1
1.1 What is Signcryption? . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Properties of Signcryption Schemes 5
2.1 Condentiality and Authenticity . . . . . . . . . . . . . . . . 5
2.2 Non-repudiation and Signature Veriability . . . . . . . . . . 5
2.3 Forward Secrecy and Past Recovery . . . . . . . . . . . . . . 6
3 Security Models and Generic Constructions 9
3.1 Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Signcryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3.3 The Multi-User Setting . . . . . . . . . . . . . . . . . 17
3.4 Encrypt-then-Sign and Sign-then-Encrypt . . . . . . . . . . . 20
3.5 Encrypt-and-Sign . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6 Improvements on Encrypt-and-Sign . . . . . . . . . . . . . . . 28
4 Signcryption in the Discrete Logarithm Setting 29
4.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Zhengs Original Scheme . . . . . . . . . . . . . . . . . . . . . 30
4.3 Adding Non-Repudiation . . . . . . . . . . . . . . . . . . . . 33
v
4.4 A DSA-Veriable Scheme . . . . . . . . . . . . . . . . . . . . 35
5 Signcryption from Trapdoor Permutations 41
5.1 Trapdoor Permutation Families . . . . . . . . . . . . . . . . . 41
5.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2 Cryptography from Trapdoor Permutations . . . . . . . . . . 43
5.3 Properties of PSEP2 . . . . . . . . . . . . . . . . . . . . . . . 48
6 Comparison 49
6.1 Cost of Signcryption . . . . . . . . . . . . . . . . . . . . . . . 49
6.2 Comparison Charts . . . . . . . . . . . . . . . . . . . . . . . . 51
7 Conclusions 55
7.1 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.2 Directions for Future Research . . . . . . . . . . . . . . . . . 55
Bibliography 57
vi
List of Tables
6.1 Security Comparison . . . . . . . . . . . . . . . . . . . . . . . 52
6.2 Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . 52
vii
Chapter 1
Introduction
1.1 What is Signcryption?
Of the many goals which the study of cryptography sets out to achieve,
the most important and widely studied are condentiality and authenticity.
Traditionally, these two goals have been studied separately. In the case of
public-key cryptography, condentiality is provided by encryption schemes,
while authenticity is provided by signature schemes.
In many applications, both condentiality and authenticity are needed
together. Such applications include secure email (S/MIME), secure shell
(SSH), and secure web browsing (HTTPS). Until recently, the de facto solu-
tion was to use both an encryption scheme and a signature scheme, typically
by sequentially composing the encryption and signature operations. This
state of aairs changed in 1997, when Zheng [15] proposed using a single
cryptographic primitive to achieve both condentiality and authenticity. He
called this primitive signcryption.
At rst glance, it is not clear why there should be any advantage to
lumping both goals into a single primitive. However, Zheng and others have
demonstrated, through concrete examples, that signcryption schemes can
provide clear benets over the traditional sequential composition of encryp-
tion and signature schemes. For example:
It is possible to create signcryption schemes which are more ecient, in
terms of computational complexity and/or communication overhead,
than the sequential composition of signature and encryption schemes.
We will see concrete examples of such schemes in Chapters 4 and 5.
Many signcryption schemes require only a single key pair for each user,
1
while the traditional approach requires two: one for encrypting and
one for signing.
Some signcryption schemes allow expensive cryptographic operations
to be parallelized.
In its most basic form, the sequential composition of signature and
encryption schemes yields only a weakly secure signcryption scheme, as
we shall see in Chapter 3. With some slight modications, it is possible
to achieve a much stronger level of security. This example suggests that
it is worthwhile to work inside the framework of signcryption whenever
both authenticity and condentiality are required.
The availability of a signcryption primitive can simplify the design
of cryptographic protocols which require both authenticity and con-
dentiality. For example, Dodis et al. [5] have given a very simple
signcryption-based authenticated key-exchange protocol.
It is clear from this list that signcryption is a topic worthy of further study,
and that it should be considered whenever designing systems that require
both condentiality and authenticity.
1.2 Outline
We begin in Chapter 2 by considering what properties every signcryption
scheme should have, and what additional properties would be desirable.
In Chapter 3 we give a formal denition of signcryption, complete with a
security model. We also look at several signcryption schemes which can
be built from plain encryption and signature schemes. In Chapter 4 we
explore a variety of signcryption schemes based on the discrete logarithm
problem. In Chapter 5 we do the same for schemes based on trapdoor one-
way permutations. In Chapter 6 we compare the various schemes presented
in previous chapters, and we conclude in Chapter 7.
1.3 Scope
Since a great deal of research has already been done in the eld of signcryp-
tion, it is impossible to cover the entire eld here. The signcryption schemes
which are presented here certainly do not constitute an exhaustive list, but
instead are intended to give an overview of the various research directions
which have been explored so far.
2
The material presented here is, for the most part, a unied presentation
of existing work. However, some new material is presented, mainly in the
form of proofs which were omitted from the original research papers. These
proofs are indicated as such where they appear.
A few veins of research are explicitly not considered here. The most
notable is identity-based signcryption, which is an adaptation of identity-
based encryption to the case of signcryption. Interested readers should begin
with the paper of Malone-Lee [7].
3
Chapter 2
Properties of Signcryption
Schemes
In this chapter, we take an informal look at the most important properties of
signcryption schemes, and explain their connection to the formal denition
of signcryption, which will be presented in Chapter 3.
2.1 Condentiality and Authenticity
At the very least, we would expect a signcryption scheme to achieve the
basic goals of encryption and signature schemes, namely condentiality and
authenticity.
By condentiality, we mean that only the intended recipient of a sign-
crypted message should be able to read its contents. That is, upon seeing
a signcrypted message, an attacker should learn nothing about the original
message, other than perhaps its length.
By authenticity, we mean that the recipient of a signcrypted message
can verify the senders identity. That is, an attacker should not be able to
send a message, claiming to be someone else.
It is these two properties which we require of all signcryption schemes.
They will form the security portion of the formal denition of signcryption.
2.2 Non-repudiation and Signature Veriability
By non-repudiation, we mean that the sender of a message cannot later deny
having sent the message. That is, the recipient of a message can prove to a
third party that the sender indeed sent the message.
5
Note that signature schemes always provide non-repudiation, since any-
one can verify a signature using only the senders public key. That is, the
recipient of a signed message need only forward it to a third party, who can
then verify the senders signature. This is not the case for signcryption,
since the condentiality property implies that only the recipient should be
able to read the contents of a signcrypted message sent to him. However, it
is possible to achieve non-repudiation by other means.
An, Dodis, and Rabin [1] argue that non-repudiation should not be in-
cluded in the denition of signcryption, since there are some cases where it
is explicitly undesirable. For example, Krawczyk and Rabin [6] have pro-
posed chameleon signature schemes, in which only the intended recipient of
a message can verify its authenticity. To allow such possibilities also in the
case of signcryption, we will not include non-repudiation in our denition.
However, when discussing the various proposed signcryption schemes, we
indicate which of them provide non-repudiation.
Among those signcryption schemes which provide non-repudiation, some
provide it in the following way: The recipient of a signcrypted message
recovers the original message m, along with a signature s of that message
under some signature scheme o, and provides (m, s) to the verier, who
veries the senders signature using o. Such a signcryption scheme is called
o-veriable, since the verier uses only the signature scheme o. This term
was introduced by Shin, Lee, and Shim [14], who proposed the rst DSA-
veriable signcryption scheme.
o-veriable signcryption schemes are especially desirable if o is a com-
monly used signature scheme, as is the case with DSA. We will indicate
which of the proposed signcryption schemes are o-veriable, and under
which signature scheme o.
2.3 Forward Secrecy and Past Recovery
By forward secrecy, we mean that an attacker cannot read signcrypted mes-
sages, even with access to the senders private key. That is, the conden-
tiality of signcrypted messages is protected, even if the senders private key
is compromised.
On the other hand, the sender of a signcrypted message may later want
to recover its contents. The sender could simply store a copy of the original
message, but this would require additional storage and could be a security
risk. Some signcryption schemes oer a better alternative; they allow the
sender to use his private key to recover the original message from the cipher-
6
text. (Note that traditional encryption schemes do not oer this possibility,
since the senders key pair is not involved in the encryption process.) Those
signcryption schemes which oer this possibility are said to provide past
recovery. This property was rst considered by Zheng [15], whose original
signcryption scheme provides it.
Clearly forward secrecy and past recovery are mutually exclusive. Thus
schemes which provide past recovery should be used with care, since the
advantage of past recovery comes at the cost of losing forward secrecy. We
will leave enough exibility in our security model to allow for both forward
secrecy and past recovery. We will indicate which of them is provided by
each of the proposed signcryption schemes.
7
Chapter 3
Security Models and Generic
Constructions
In this chapter, we present the formal denition and security model for
signcryption given by An, Dodis, and Rabin [1]. Their model is closely
related to the security models for encryption and signature schemes, which
we also present. We then present several signcryption schemes which are
provably secure under their model. These constructions are generic, in the
sense that they can be built from any encryption and signature schemes
satisfying certain security requirements.
3.1 Encryption Schemes
3.1.1 Syntax
An encryption scheme is a triple of algorithms c = (Enc-KeyGen, Enc, Dec):
Enc-KeyGen is a randomized algorithm which accepts 1
k
, where k is a
security parameter
1
, and outputs a key pair (EK, DK). EK is the en-
cryption key, which is made public. DK is the decryption key, which is
kept secret. This operation is denoted by (EK, DK) Enc-KeyGen(1
k
).
Enc is a randomized algorithm which accepts an encryption key EK and
a message m, and outputs a ciphertext c. This operation is denoted
1
In this context, 1
k
denotes a string of k ones. The algorithms Enc-KeyGen, Enc, and
Dec must run in polynomial time with respect to the length of this parameter, i.e. |1
k
| = k.
We will also use k later in the denition of security.
9
by c Enc
EK
(m), or simply c Enc(m) if it is clear which encryption
key is being used.
Dec is a deterministic algorithm which accepts a decryption key DK
and a ciphertext c, and outputs a message m, or the special symbol
in the case of an invalid ciphertext. This operation is denoted by
m Dec
EK
(c), or simply m Dec(c) if it is clear which decryption
key is being used.
We require that Dec
DK
(Enc
EK
(m)) = m for all m, and for all key pairs
(EK, DK) generated by Enc-KeyGen.
3.1.2 Security
To dene the security of an encryption scheme, we must specify two things:
the goal of the adversary, and the capabilities given to the adversary. The
highest level of security is provided when an adversary is unable to achieve
even the weakest goal, when given the strongest capabilities.
We will always dene the goal of the adversary in terms of a game which
the adversary attempts to win. Steps which the adversary must perform
will be written in the form
(o
1
, . . . , o
m
) /(i
1
, . . . , i
n
)
where / is the adversary, (i
1
, . . . , i
n
) are the inputs given to it, and (o
1
, . . .,
o
m
) are the outputs it returns. Unless otherwise stated, the adversary only
has access to the information which is passed to it as input.
In the case of encryption, we will take the goal of the adversary to be
distinguishing ciphertexts. The game played by the adversary consists of
two stages. First the adversary is given the encryption key from a fresh
key pair, and must select two messages m
0
and m
1
of equal length (the nd
stage). Then one of the messages is chosen at random and encrypted, and
the adversary must correctly determine which one was encrypted (the guess
stage). The formal denition of this game is as follows:
1. (EK, DK) Enc-KeyGen(1
k
)
2. (m
0
, m
1
, ) /(EK, nd)
3. b
R
0, 1
4. c Enc(m
b
)
5.

b /(c, , guess).
10
/ wins in the case that b =

b. The adversary is permitted to store some
state information between the nd and guess stages.
Of course, /could win this game with probability 1/2 by simply choosing

b at random. Thus we consider an adversary successful only if it can win the

game with probability signicantly greater than 1/2. To make this notion
more precise, we use the following denition.
Denition 3.1. We say that a function f : N [0, 1] is negligible if, for
all c > 0, there exists k
0
N such that f(k)
1
k
c
whenever k k
0
. We use
the notation negl(k) to indicate some negligible function of k.
Now we can complete the denition of indistinguishability. If c is an
encryption scheme for which
Pr[/ wins] <
1
2
+ negl(k)
for all probabilistic polynomial-time (PPT) adversaries /, then we say that
c achieves indistinguishability of ciphertexts, or IND.
Next we must dene the powers given to /. At the very least, / has
access to the encryption key EK, allowing it to encrypt arbitrary messages.
This type of attack is known as a chosen plaintext attack or CPA. A stronger
type of attack is the chosen ciphertext attack or CCA2, in which / may
decrypt arbitrary ciphertexts via a decryption oracle
2
, with the exception
that it may not decrypt the target ciphertext c given to it in step 4 of the
game.
When indicating the security level provided by an encryption scheme,
we write the adversarial goal and capabilities together. For example, an
encryption scheme which achieves indistinguishability of ciphertexts against
a chosen ciphertext attack is said to be IND-CCA2-secure.
Generalizing the chosen ciphertext attack
In fact, the chosen ciphertext attack can be slightly too restrictive. To see
this, consider taking an IND-CCA2-secure encryption scheme, and modifying
it so the encryption algorithm appends a random bit to the ciphertext after
encryption, and the decryption algorithm discards this bit before decryption.
Intuitively, appending a random bit should not aect the security of the
scheme. But in fact the resulting scheme is not IND-CCA2-secure, since the
2
The digit 2 in CCA2 indicates that the decryption oracle may be queried in both the
nd and guess stages. This is in contrast to CCA1, in which the decryption oracle is only
available during the nd stage.
11
adversary can simply toggle the random bit of the target ciphertext, then
query the decryption oracle with this new ciphertext.
This problem led An, Dodis, and Rabin [1] to generalize CCA2 slightly,
by introducing an equivalence relation (, ) on ciphertexts, and prohibit-
ing the attacker from querying the decryption oracle with any ciphertext
equivalent to the target ciphertext under .
To ensure that this generalization weakens the attackers capabilities as
little as possible, we introduce some restrictions on . First of all, the
relation must be ecient to evaluate, given only the encryption key EK. In
addition, it must be decryption-respecting, which means that (c
1
, c
2
) = true
only if Dec(c
1
) = Dec(c
2
). That is, we may only restrict the attacker from
decrypting other encryptions of the target message.
We say that an encryption scheme c is secure against a generalized chosen
ciphertext attack or gCCA2 if there is some equivalence relation , which
satises the above conditions, and with respect to which c is CCA2-secure.
Clearly any CCA2-secure encryption scheme is also gCCA2-secure, since we
can simply take to be the ordinary equality relation. Also note that
appending a random bit to an IND-CCA2-secure encryption scheme is no
longer a problem, since the resulting scheme is still IND-gCCA2-secure. To
see this, simply dene (c
1
, c
2
) to be true whenever c
1
and c
2
agree on all
but the appended bit.
3.2 Signature Schemes
3.2.1 Syntax
A signature scheme is a triple of algorithms o = (Sig-KeyGen, Sig, Ver):
Sig-KeyGen is a randomized algorithm which accepts 1
k
, where k is a
security parameter, and outputs a key pair (SK, VK). SK is the signing
key, which is kept private. VK is the verication key, which is made
public. This operation is denoted by (SK, VK) Sig-KeyGen(1
k
).
Sig is a randomized algorithm which accepts a signing key SK and a
message m, and outputs a signature s. This operation is denoted by
s Sig
SK
(m), or simply s Sig(m) if it is clear which signing key is
being used.
Ver is a deterministic algorithm which accepts a verication key VK,
a message m and a signature s, and outputs an answer a, which is
either succeed or fail. This operation is denoted by a Ver
VK
(m, s),
12
or simply a Ver(m, s) if it is clear which verication key is being
used.
We require that Ver
VK
(m, Sig
SK
(m)) = succeed for all m, and for all key
pairs (SK, VK) generated by Sig-KeyGen.
3.2.2 Security
As in the case of encryption schemes, we must specify both the goal of the
adversary, and the capabilities given to it.
As the goal of the adversary, we will use existential forgery. To achieve
existential forgery, the adversary / must simply produce a valid signature,
for any message of its choosing. That is, it must win the following game:
1. (SK, VK) Sig-KeyGen(1
k
)
2. (m, s) /(VK).
/ wins the game if Ver
VK
(m, s) returns succeed. If o is a signature scheme
for which
Pr[/ wins] < negl(k)
for all PPT adversaries /, then we say that o achieves existential unforge-
ability, or UF.
Next we must dene the powers given to /. In a no message attack or
NMA, the adversary / is only given access to the verication key VK. In a
chosen message attack or CMA, the adversary is additionally given access
to a signing oracle. In this case, / must produce a signature for a new
message, i.e. one which it did not previously sign with the signing oracle.
As with encryption schemes, to indicate the security level provided by
a signature scheme we write the adversarial goal and capabilities together.
For example, a signature scheme which achieves existential unforgeability
against a chosen message attack is said to be UF-CMA-secure.
Although UF-CMA-security is sucient for almost all applications, it can
be strengthened slightly, by declaring the adversary successful if it produces
either a signature for a new message (as before), or else a new signature
for a previously signed message. This type of security is known as strong
unforgeability against a chosen message attack, or sUF-CMA.
3.3 Signcryption
For simplicity, we rst present the denition of signcryption in the so-called
two-user setting. In this setting, we assume that only two users, a sender A
13
and a recipient B are using the signcryption scheme. Thus we do not need
to worry about attacks such as identity fraud, where one user pretends to
be another. Later we will extend the denition to the multi-user setting,
which protects against such attacks.
3.3.1 Syntax
A signcryption scheme is a triple of algorithms o( = (KeyGen, SigEnc, VerDec):
KeyGen is a randomized algorithm which accepts 1
k
, where k is a
security parameter, and outputs a key pair (SDK, VEK). SDK is the
signing and decryption key, which is kept secret. VEK is the verication
and encryption key, which is made public. This operation is denoted
by (SDK, VEK) KeyGen(1
k
). Both the sender A and the recipient
B of a message must invoke Sig-KeyGen before they can communicate;
we call their key pairs (SDK
A
, VEK
A
) and (SDK
B
, VEK
B
) respectively.
SigEnc is a randomized algorithm which accepts the senders signing
and decryption key SDK
A
and the recipients verication and encryp-
tion key VEK
B
, as well as a message m, and outputs a signcrypted
message u. This operation is denoted by u SigEnc
SDK
A
,VEK
B
(m), or
simply s SigEnc(m) if it is clear which keys are being used.
VerDec is a deterministic algorithm which accepts the senders veri-
cation and encryption key VEK
A
and the recipients signing and de-
cryption key SDK
B
, as well as a signcrypted message u, and outputs
a message m, or the special symbol in the case of an invalid sign-
cryption. This operation is denoted by m VerDec
VEK
A
,SDK
B
(u), or
simply m VerDec(u) if it is clear which keys are being used.
We require that VerDec
VEK
A
,SDK
B
(SigEnc
SDK
A
,VEK
B
(m)) = m for all m, and
for all key pairs (SDK
A
, VEK
A
) and (SDK
B
, VEK
B
) generated by KeyGen.
3.3.2 Security
In dening security for signcryption, we distinguish between two classes of
attacks: outsider attacks, in which the attacker has access only to public in-
formation, and insider attacks, in which the attacker additionally has either
the senders or the recipients private key. In each case, we must ensure that
the two basic security goals of signcryption, condentiality and authenticity,
are provided.
14
Outsider Security
In the outsider security model, we assume that the adversary / only has
access to public information, i.e. pub = VEK
A
, VEK
B
. The goal of the
adversary is to break either the condentiality of the scheme, by distinguish-
ing ciphertexts, or the authenticity of the scheme, by achieving existential
forgery. In both cases, we give / oracle access to the senders signcryp-
tion functionality, SigEnc
SDK
A
,VEK
B
(), and the recipients de-signcryption
functionality, VerDec
VEK
A
,SDK
B
().
To distinguish ciphertexts, the adversary / must win the following game,
with probability signicantly greater than 1/2:
1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
3. (m
0
, m
1
, ) /(VEK
A
, VEK
B
, nd)
4. b
R
0, 1
5. u SigEnc(m
b
)
6.

b /(u, , guess)
/ wins in the case that b =

b. It is allowed to make arbitrary queries to
its signcryption and de-signcryption oracles at any point during its nd and
guess stages (steps 3 and 6), with the exception that in the guess stage we
disallow it from querying the de-signcryption oracle with the target cipher-
text u given to it in step 5. As with encryption schemes, we require that
[m
0
[ = [m
1
[.
Note that this is completely analogous to distinguishing ciphertexts in
the case of encryption schemes. If o( is a signcryption scheme for which
Pr[/ wins] <
1
2
+ negl(k)
for all PPT adversaries /, then we say o( is outsider-secure against an
IND-CCA2 attack.
As in the case of encryption schemes, security under IND-CCA2 attacks
can be too restrictive. Thus we introduce a decryption-respecting
3
equiv-
alence relation , which can be eciently evaluated using only the pub-
lic information, VEK
A
and VEK
B
. We disallow / from querying the de-
signcryption oracle with any ciphertext equivalent to the target ciphertext
under . We say that o( is outsider-secure against an IND-gCCA2 attack if
3
In this case, decryption-respecting means that R(u1, u2) = true only if VerDec(u1) =
VerDec(u2).
15
there is some equivalence relation with respect to which o( is outsider-
secure against an IND-CCA2 attack.
To achieve existential forgery, the adversary / must win the following
game, with probability signicantly greater than zero:
1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
3. u /(VEK
A
, VEK
B
)
/ wins the game if u is a valid signcryption of any message not queried to
the signcryption oracle.
Note that this is very similar to achieving existential forgery in the case
of signature schemes, except that the adversary here is not required to know
which message m it has forged. If o( is a signcryption scheme for which
Pr[/ wins] < negl(k)
for all PPT adversaries /, then we say o( is outsider-secure against a
UF-CMA attack. As in the case of signature schemes, we can dene strong
unforgeability against a chosen message attack, or sUF-CMA, by modifying
the game so that / wins as long as u is dierent from any of the ciphertexts
returned by the signcryption oracle.
In the context of outsider security, the suxes CCA2 (in IND-CCA2 and
IND-gCCA2) and CMA (in UF-CMA and sUF-CMA) are slightly misleading,
since in all cases the adversary is allowed both to signcrypt chosen messages,
and to de-signcrypt chosen ciphertexts, via its oracles. Fortunately this
problem disappears when we move to insider security.
Insider Security
To dene insider security, we simply make some small modications to the
denitions given above.
When distinguishing ciphertexts, we give the adversary / access to the
senders secret key, SDK
A
. That is, step 3 of the game becomes
(m
0
, m
1
, ) /(SDK
A
, VEK
A
, VEK
B
, nd).
Of course, with access to SDK
A
, the adversary no longer needs the signcryp-
tion oracle SigEnc
SDK
A
,VEK
B
(). Even though we give the adversary access
to SDK
A
, we still allow the relation to depend only on VEK
A
and VEK
B
in the case of an IND-gCCA2 attacks.
16
When producing an existential forgery, we give /access to the recipients
secret key, SDK
B
. That is, step 3 of the game becomes
u /(VEK
A
, SDK
B
, VEK
B
).
With access to SDK
B
, the adversary no longer needs the de-signcryption
oracle VerDec
VEK
A
,SDK
B
().
Optimally, we would like a signcryption scheme to be secure against
IND-CCA2 attacks on its condentiality and against sUF-CMA attacks on its
authenticity. However, security against IND-gCCA2 and UF-CMA attacks is
sucient for most applications.
Insider vs. Outsider Security
Since insider security is strictly stronger than outsider security, and since
there are already many signcryption schemes which provide insider security,
one might wonder why it is useful to dene outsider security at all. One
possible reason is that insider security on the condentiality of a signcryption
scheme is precisely forward secrecy, and this precludes past recovery (see
Section 2.3).
In the case of authenticity, insider security is necessary for any scheme
which provides non-repudiation; without it, there would be nothing to pre-
vent a user from forging a message to himself. It is not clear whether there
are any situations where insider security on authenticity would be explicitly
undesirable, and indeed all the signcryption schemes we present here provide
insider security on authenticity.
3.3.3 The Multi-User Setting
Now that we have dened signcryption in the two-user setting, we can make
some small modications to dene it in the multi-user setting. In this setting,
there may be any number of users who wish to communicate with each other.
We assume that each user P has an identity ID
P
, which members of the
network can use to uniquely identify the user (for example by name or email
address) and obtain Ps public key VEK
P
. In practice, ID
P
and VEK
P
are
typically contained in a certicate provided by a certication authority.
Note that multi-user settings have been dened for other cryptographic
primitives. For example, Menezes and Smart [8] have dened a multi-user
setting for signature schemes.
17
Syntax
To begin, we modify the signcryption and de-signcryption algorithms, SigEnc
and VerDec. In the two-user setting we dened these to accept the keys of
the sender and recipient. In the multi-user setting they accept identities
instead of keys.
For a given user A who wishes to send a message to some user B

,
SigEnc takes as input a message m, and two identities ID
A
and ID
B
. After
checking that ID
A
= ID
A
, SigEnc then signcrypts the message m using
SDK
A
and VEK
B
, and outputs (u, ID
A
, ID
B
). This operation is denoted
by (u, ID
A
, ID
B
) SigEnc
A
(m, ID
A
, ID
B
). When describing signcryption
schemes, we typically omit the identity verication step, and simply write
u SigEnc(m, ID
A
, ID
B
).
For a given user B who has received a ciphertext from some user A

,
VerDec takes as input a ciphertext u, and two identities ID
A
and ID
B
. After
checking that ID
B
= ID
B
, VerDec then de-signcrypts the ciphertext u using
VEK
A
and SDK
B
. This operation is denoted by m VerDec
B
(u, ID
A
, ID
B
).
Once again, the identity verication step is typically omitted, and we simply
write m VerDec(m, ID
A
, ID
B
).
Security
As in the two-user setting, we distinguish between outsider and insider se-
curity. In both cases, we dene security as in the two-user setting, but with
a few small modications.
In the outsider security model, when attacking communication between
a pair of users A and B, we assume that the adversary / has access to
the private keys of all users other than A and B. As in the two-user set-
ting, we give / oracle access to As signcryption functionality and Bs de-
signcryption functionality. However, we make the oracles somewhat more
exible in the multi-user setting, by allowing / to select any recipient (not
necessarily B) when calling the signcryption oracle, and any sender (not nec-
essarily A) when calling the de-signcryption oracle. That is, / has oracle
access to SigEnc(, ID
A
, ) and VerDec(, , ID
B
).
To break the UF-CMA-security, / must produce a valid signcryption
(u, ID
A
, ID
B
) of a message m, without asking the signcryption oracle to sign-
crypt (m, ID
A
, ID
B
). Note, however, that / may request the signcryption of
(m, ID
A
, ID
B
) for some B

,= B. Now the game is as follows:

1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
18
3. u /(VEK
A
, VEK
B
)
/ wins the game if VerDec(u, ID
A
, ID
B
) returns anything other than . The
fact that the attacker has access to the private keys of all other users is mod-
elled by allowing / to create its own keys pairs and corresponding identities,
and pass them to the oracles as parameters. / is not required to generate
key pairs via KeyGen, thus giving it a great deal of freedom in terms of oracle
access.
To break the IND-CCA2-security, / must produce two messages m
0
and
m
1
, and then distinguish between SigEnc(m
0
, ID
A
, ID
B
) and SigEnc(m
1
, ID
A
,
ID
B
) without passing (u, ID
A
, ID
B
) to the de-signcryption oracle, where u
is the challenge ciphertext. Note, however, that / may request the de-
signcryption of (u, ID
A
, ID
B
) for some A

,= A. More formally, / must win

the following game:
1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
3. (m
0
, m
1
, ) /(VEK
A
, VEK
B
, nd)
4. b
R
0, 1
5. u SigEnc
A
(m
b
, ID
A
, ID
B
)
6.

b /(u, , guess)
The adversary / wins in the case that b =

b. As usual, we require that
[m
0
[ = [m
1
[.
In the insider security model, the adversary / attacks either the authen-
ticity of a sender A, or the condentiality of a recipient B. In the rst case,
we give / access to the private keys of all users except A. Also / has access
to As signcryption oracle, SigEnc(, ID
A
, ). It must create a valid signcryp-
tion (u, ID
A
, ID
B
) for some message m and recipient B

, without querying
its signcryption oracle with (m, ID
A
, ID
B
). As before, it may make the query
(m, ID
A
, ID
B
) for some B

,= B

. The game played by / is:

1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (u, ID
B
) /(VEK
A
)
/ wins the game if VerDec(u, ID
A
, ID
B
) returns anything other than .
Note that only As key pair is generated at the start, leaving / free to
choose keys for B

as it pleases. Once again, it is not required to do so using

KeyGen.
When attacking the condentiality of a user B, we give / access to the
private keys of all users except B. Also, / has access to Bs de-signcryption
19
oracle, VerDec(, , ID
B
). It must choose a sender A

, produce two mes-

sages m
0
and m
1
, and then distinguish between SigEnc(m
0
, ID
A
, ID
B
) and
SigEnc(m
1
, ID
A
, ID
B
) without passing (u, ID
A
, ID
B
) to its de-signcryption
oracle, where u is the challenge ciphertext. Of course, it may make the
query (u, ID
A
, ID
B
) for some A

,= A

. The game played by / is:

1. (SDK
B
, VEK
B
) KeyGen(1
k
)
2. (m
0
, m
1
, ID
A
, ) /(VEK
B
, nd)
3. b
R
0, 1
4. u SigEnc(m
b
, ID
A
, ID
B
)
5.

b /(u, , guess)
As usual, / wins in the case that b =

b. Note that only Bs key pair is
generated at the start, leaving / free to choose keys for A

as it pleases.
Once again, we can dene the IND-gCCA2 security level for conden-
tiality, and the sUF-CMA security level for authenticity. In the case of
IND-gCCA2 security, the relation must take into account the identities
of the sender and recipient to be decryption-respecting. Specically, we
must have (u
1
, u
2
) = true only if u
1
and u
2
are both signcryptions of the
same message, with the same sender and recipient.
3.4 Encrypt-then-Sign and Sign-then-Encrypt
Prior to Zhengs work [15], the usual way to provide both condentiality and
authenticity was to sequentially compose encryption and signature schemes.
This can be done in two ways: encrypt-then-sign (cto), and sign-then-
encrypt (otc).
To verify that our denition of signcryption is a good one, it is worth-
while to start by checking whether these two constructions are secure as
signcryption schemes. We begin by dening cto and otc in the two-user
setting, and then adapt the denitions to provide security in the multi-user
setting.
Denition 3.2 (Encrypt-then-sign). Given an encryption scheme c and
a signature scheme o, we dene the two-user signcryption scheme cto as
follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
20
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc
SDK
A
,VEK
B
(m):
1. e Enc
EK
B
(m)
2. s Sig
SK
A
(e)
3. Return (e, s).
VerDec
VEK
A
,SDK
B
(e, s):
1. a Ver
VK
A
(e, s)
2. If a = succeed return m Dec
DK
B
(e) else return .
Denition 3.3 (Sign-then-encrypt). Given an encryption scheme c and
a signature scheme o, we dene the two-user signcryption scheme otc as
follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc
SDK
A
,VEK
B
(m):
1. s Sig
SK
A
(m)
2. Return u Enc
EK
B
(m[[s).
VerDec
VEK
A
,SDK
B
(u):
1. m[[s Dec
DK
B
(u)
2. If Ver
VK
A
(m, s) = succeed return m else return .
Theorem 3.4. Suppose that c is an IND-gCCA2-secure encryption scheme,
and that o is a UF-CMA-secure signature scheme. Then cto and otc are
insider-secure against IND-gCCA2 attacks on condentiality, and against
UF-CMA attacks on authenticity, in the two-user setting.
The proof is given in An, Dodis, and Rabin [1]. We omit it here, and
instead we give the proofs for the corresponding theorems in the multi-user
setting.
Now we consider how to adapt cto and otc to the multi-user setting.
Note that the current denitions cannot be left unchanged, since they are in-
secure even against outsider attacks in the multi-user setting. In the case of
cto an adversary can distinguish between ciphertexts from A to B by remov-
ing As signature s from the challenge ciphertext u = (e, s), and replacing it
with the signature s

of some other user A

. It can then de-signcrypt (e, s

)
21
using its de-signcryption oracle, revealing the message. In the case of otc
an adversary can forge a message from A to B by choosing some message
m, requesting u

SigEnc(m, ID
A
, ID
B
) for some other user B

, then de-
crypting u

into m[[s and re-encrypting it with Bs public key, to get a valid

signcryption u from A to B.
To avoid these attacks, we need to bring the identities of the sender and
recipient into the calculations. An, Dodis, and Rabin [1] solved this problem
by simply appending the senders identity before encrypting, and appending
the recipients identity before signing. This results in the following schemes:
Denition 3.5 (Multi-user encrypt-then-sign). Given an encryption
scheme c and a signature scheme o, we dene the multi-user signcryption
scheme cto

as follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc(m, ID
A
, ID
B
):
1. e Enc
EK
B
(m[[ID
A
)
2. s Sig
SK
A
(e[[ID
B
)
3. Return (e, s).
VerDec(e, s, ID
A
, ID
B
):
1. If Ver
VK
A
(e[[ID
B
, s) = fail return .
2. m[[ID
A
Dec
DK
B
(e)
3. If ID
A
= ID
A
return m else return .
Denition 3.6 (Multi-user sign-then-encrypt). Given an encryption
scheme c and a signature scheme o, we dene the multi-user signcryption
scheme otc

as follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc(m, ID
A
, ID
B
):
1. s Sig
SK
A
(m[[ID
B
)
2. Return u Enc
EK
B
(m[[s[[ID
A
).
22
VerDec(u, ID
A
, ID
B
):
1. m[[s[[ID
A
Dec
DK
B
(u)
2. If ID
A
,= ID
A
return .
3. If Ver
VK
A
(m[[ID
B
, s) = succeed return m else return .
These new multi-user versions are indeed secure in the insider security
model, as demonstrated by the following theorems. The proofs presented
here are the original work of the author.
Theorem 3.7. Suppose that c is an IND-gCCA2-secure encryption scheme,
and that o is a UF-CMA-secure signature scheme. Then cto

is insider-
secure against IND-gCCA2 attacks on condentiality, and against UF-CMA
attacks on authenticity, in the multi-user setting.
Proof. Condentiality: Since we are dealing with IND-gCCA2 security,
we must rst deal with the issue of equivalence relations. Let
E
be the
relation with respect to which c is IND-CCA2-secure, and for cto

dene

EtS
((e
1
, s
1
, ID
A
1
, ID
B
1
), (e
2
, s
2
, ID
A
2
, ID
B
2
)) to be
E
(e
1
, e
2
) if A
1
= A
2
,
B
1
= B
2
, Ver
VK
A
1
(e
1
[[ID
B
1
, s
1
) = succeed, and Ver
VK
A
2
(e
2
[[ID
B
2
, s
2
) =
succeed; or false otherwise. Note that
EtS
can be eciently evaluated
using only VK
A
1
and VK
A
2
, which are public.
Now we will show that cto

is insider-secure against IND-CCA2 attacks

with respect to
EtS
, by way of contradiction. Suppose there exists an
adversary /
EtS
which can break the IND-CCA2 security of cto

with non-
negligible probability. We convert this to an adversary /
E
which can break
the IND-CCA2 security of c with the same probability, in the same time,
and using the same number of oracle queries.
Let (EK
B
, DK
B
) be the key pair which /
E
is trying to attack. In the nd
stage, after being given EK
B
, /
E
does the following:
1. (SK
B
, VK
B
) Sig-KeyGen(1
k
)
2. (m
0
, m
1
, ID
A
, ) /
EtS
((VK
B
, EK
B
), nd)
3. Return (m
0
[[ID
A
, m
1
[[ID
A
, ).
In the guess stage, once given the target ciphertext e = Enc
EK
B
(m
b
[[ID
A
)
for b
R
0, 1, /
E
does the following:
1. s Sig
SK
A

(e[[ID
B
)
2. Return

b /
EtS
((e, s, ID
A
, ID
B
), , guess).
Note that /
EtS
may make queries to its de-signcryption oracle. To respond
to a query (e

, s

, ID
A
, ID
B
), /
E
does the following:
23
1. If Ver
VK
A

(e

[[ID
B
, s

) = fail return .
2. If
E
(e, e

) = true return .
3. m[[ID
A
Dec
DK
B
(e

)
4. If ID
A
= ID
A
return m else return .
Note that /
E
may perform step 3 using its decryption oracle, since step 2
guarantees that e

is not equivalent to the target ciphertext, e.

To nish the proof, we must check that the above steps perfectly simulate
the VerDec algorithm of cto

. Apart from step 2, the above steps are pre-

cisely those of VerDec. Step 2 could interfere only in the case that
E
(e, e

) =
true (and Ver
VK
A

(e

[[ID
B
, s

) = succeed, since otherwise step 2 is not exe-

cuted). Suppose then that /
EtS
makes some oracle query (e

, s

, ID
A
, ID
B
)
for which Ver
VK
A

(e

[[ID
B
, s

) = succeed and
E
(e, e

) = true. We know that

e is an encryption of m
b
[[ID
A
. Since
E
is decryption respecting, e

too is an
encryption of m
b
[[ID
A
. Now there are two cases to consider. If ID
A
,= ID
A

then the last step of VerDec would return , just as step 2 above. If
ID
A
= ID
A
we quickly run into a contradiction. By the denition of s,
we have Ver
VK
A

(e[[ID
B
, s) = succeed. Since Ver
VK
A

(e

[[ID
B
, s

) = succeed
as well, we have
EtS
((e, s, ID
A
, ID
B
), (e

, s

, ID
A
, ID
B
)) =
E
(e, e

) = true.
But this contradicts the fact that /
EtS
does not query its de-signcryption
oracle with anything equivalent to the target ciphertext.
Authenticity: Suppose there is an adversary /
EtS
which can break
the UF-CMA security of cto

with non-negligible probability. We convert

this to an adversary /
S
which can break the UF-CMA security of o with the
same probability, in the same time, and using the same number of oracle
queries.
Let (SK
A
, VK
A
) be the key pair which /
S
is trying to attack. After
being given VK
A
, /
S
does the following:
1. (EK
A
, DK
A
) Enc-KeyGen(1
k
)
2. (e, s, ID
A
, ID
B
) /
EtS
((VK
A
, EK
A
))
3. Return (e[[ID
B
, s).
In step 2, /
EtS
may make queries to its signcryption oracle. To respond to
a query (m

, ID
A
, ID
B
), /
S
does the following:
1. e

Enc
EK
B

(m

[[ID
A
)
2. s

Sig
SK
A
(e

[[ID
B
)
3. Return (e

, s

).
Note that /
S
may perform step 2 using its signing oracle. We must check,
however, that the message e[[ID
B
signed by /
S
is not equal to any of
24
the messages e

[[ID
B
passed to its signing oracle. Suppose otherwise, i.e.
ID
B
= ID
B
and e = e

. Note that e = Enc

EK
B

(m[[ID
A
) for some m,
and e

= Enc
EK
B

(m

[[ID
A
) = Enc
EK
B

(m

[[ID
A
) for some m

. Then since
e = e

we have Enc
EK
B

(m[[ID
A
) = Enc
EK
B

(m

[[ID
A
), which implies that
m[[ID
A
= m

[[ID
A
, so m = m

, contradicting the fact that /

EtS
produces a
signcryption for a message not queried to its signcryption oracle.
Theorem 3.8. Suppose that c is an IND-gCCA2-secure encryption scheme,
and that o is a UF-CMA-secure signature scheme. Then otc

is insider-
secure against IND-gCCA2 attacks on condentiality, and against UF-CMA
attacks on authenticity, in the multi-user setting.
Proof. Condentiality: Since we are dealing with IND-gCCA2 security,
we must rst deal with the issue of equivalence relations. Let
E
be the
relation with respect to which c is IND-CCA2-secure, and for otc

dene

StE
((u
1
, ID
A
1
, ID
B
1
), (u
2
, ID
A
2
, ID
B
2
)) to be
E
(u
1
, u
2
) if if A
1
= A
2
and
B
1
= B
2
, or false otherwise.
Now we will show that otc

is insider-secure against IND-CCA2 attacks

with respect to
StE
, by way of contradiction. Suppose there exists an
adversary /
StE
which can break the IND-CCA2 security of otc

with non-
negligible probability. We convert this to an adversary /
E
which can break
the IND-CCA2 security of c with the same probability, in the same time,
and using the same number of oracle queries.
Let (EK
B
, DK
B
) be the key pair which /
E
is trying to attack. In the nd
stage, after being given EK
B
, /
E
does the following:
1. (SK
B
, VK
B
) Sig-KeyGen(1
k
)
2. (m
0
, m
1
, ID
A
, ) /
EtS
((VK
B
, EK
B
), nd)
3. s
0
Sig
SK
A

(m
0
[[ID
B
)
4. s
1
Sig
SK
A

(m
1
[[ID
B
)
5. Return (m
0
[[s
0
[[ID
A
, m
1
[[s
1
[[ID
A
, ).
In the guess stage, once given the target ciphertext e = Enc
EK
B
(m
b
[[s
b
[[ID
A
)
for b
R
0, 1, /
E
does the following:
1. Return

b /
StE
((e, ID
A
, ID
B
), , guess).
Note that /
StE
may make queries to its de-signcryption oracle. To respond
to a query (e

, ID
A
, ID
B
), /
E
does the following:
1. If
E
(e, e

) = true return .
2. m[[s[[ID
A
Dec
DK
B
(e

)
25
3. If ID
A
,= ID
A
return .
4. If Ver
VK
A

(m[[ID
B
, s) = succeed return m else return .
Note that /
E
may perform step 2 using its decryption oracle, since step 1
guarantees that e

is not equivalent to the target ciphertext, e.

To nish the proof, we must check that the above steps perfectly simulate
the VerDec algorithm of otc

. Apart from step 1, the above steps are pre-

cisely those of VerDec. Step 1 could interfere only in the case that
E
(e, e

) =
true. Suppose then that /
StE
makes some oracle query (e

, ID
A
, ID
B
) for
which
E
(e, e

) = true. We know that e is an encryption of m

b
[[s
b
[[ID
A
.
Since
E
is decryption-respecting, e

too is an encryption of m
b
[[s
b
[[ID
A
.
Now there are two cases to consider. If ID
A
,= ID
A
then step 2 of VerDec
would return , just as step 1 above. Otherwise ID
A
= ID
A
, and then

StE
((e, ID
A
, ID
B
), (e

, ID
A
, ID
B
)) =
E
(e, e

) = true. But this contradicts

the fact that /

StE
does not query its de-signcryption oracle with anything
equivalent to the target ciphertext.
Authenticity: Suppose there is an adversary /
EtS
which can break
the UF-CMA security of cto

with non-negligible probability. We convert

this to an adversary /
S
which can break the UF-CMA security of o with the
same probability, in the same time, and using the same number of oracle
queries.
Let (SK
A
, VK
A
) be the key pair which /
S
is trying to attack. After
being given VK
A
, /
S
does the following:
1. (EK
A
, DK
A
) Enc-KeyGen(1
k
)
2. (e, s, ID
A
, ID
B
) /
EtS
((VK
A
, EK
A
))
3. Return (e[[ID
B
, s).
In step 2, /
EtS
may make queries to its signcryption oracle. To respond to
a query (m

, ID
A
, ID
B
), /
S
does the following:
1. e

Enc
EK
B

(m

[[ID
A
)
2. s

Sig
SK
A
(e

[[ID
B
)
3. Return (e

, s

).
Note that /
S
may perform step 2 using its signing oracle. We must check,
however, that the message e[[ID
B
signed by /
S
is not equal to any of
the messages e

[[ID
B
passed to its signing oracle. Suppose otherwise, i.e.
ID
B
= ID
B
and e = e

. Note that e = Enc

EK
B

(m[[ID
A
) for some m,
and e

= Enc
EK
B

(m

[[ID
A
) = Enc
EK
B

(m

[[ID
A
) for some m

. Then since
e = e

we have Enc
EK
B

(m[[ID
A
) = Enc
EK
B

(m

[[ID
A
), which implies that
m[[ID
A
= m

[[ID
A
, so m = m

, contradicting the fact that /

EtS
produces a
signcryption for a message not queried to its signcryption oracle.
26
Strengthening These Results
As it turns out, we can improve upon these theorems.
Looking at the proof of Theorem 3.8, we see that if
E
is the ordinary
equality relation, then so is
StE
. That is, if c is IND-CCA2-secure, then
so is otc

. In the case of cto

, though, we cannot expect to do better than

IND-gCCA2 security, at least in the insider model. To see this, note that
the adversary can always de-signcrypt its target ciphertext by removing its
signature, replacing it with a new one (which it can do, since it has access to
SK
A
), and then passing the new signcryption to its de-signcryption oracle.
Now we turn our attention to authenticity. Looking at the proof of
Theorem 3.7, we see that UF-CMA security can be replaced by sUF-CMA-
security. That is, if o is sUF-CMA-secure, then so is cto

. This is not the

case for otc, at least in the insider model. The adversary can produce a
new signcryption from an old one by decrypting it (using DK
B
), then re-
encrypting it.
cto

versus otc

Seeing that both sign-then-encrypt and encrypt-then-sign provide strong

levels of security, one may wonder why the former is typically preferred
over the latter. One reason is that sign-then-encrypt provides a very simple
non-repudiation mechanism: the recipient of a signcrypted message simply
decrypts it with his decryption key, then passes the resulting signed message
on to the verier. That is, otc

is an o-veriable signcryption scheme.

Encrypt-then-sign, as presented here, does not provide non-repudiation
unless the recipient is prepared to divulge his secret key. Without it, a
verier cannot decrypt the signed ciphertext. This problem can be solved
if the recipient can determine the randomness r used by the sender while
encrypting. (For example, we could required the sender to append it to the
message m before encrypting.) In this case, the recipient can provide m,
r, and the signature s to the verier, who can then encrypt m under the
recipients public key using r, and verify the signature s on the resulting
ciphertext.
3.5 Encrypt-and-Sign
Another method to achieve both condentiality and authenticity, which
also existed before the study of signcryption, is encrypt-and-sign, or c&o.
Rather than applying the encryption and signature operations sequentially,
27
as with cto, we apply them in parallel. For simplicity, we present the de-
nition of encrypt-and-sign in the two-user setting.
Denition 3.9 (Encrypt-and-sign). Given an encryption scheme c and
a signature scheme o, we dene the signcryption scheme c&o as follows:
KeyGen(1
k
):
1. (EK, DK) Enc-KeyGen(1
k
)
2. (SK, VK) Sig-KeyGen(1
k
)
3. Return (SDK, VEK) ((SK, DK), (VK, EK)).
SigEnc
SDK
A
,VEK
B
(m):
1. Return (e, s) (Enc
EK
B
(m), Sig
SK
A
(m))
VerDec
VEK
A
,SDK
B
(e, s):
1. m Dec
DK
B
(e)
2. If Ver
VK
A
(m, s) = succeed return m else return .
Note that encrypt-and-sign requires the same amount of computation
as encrypt-then-sign, but it allows the encryption and signature steps to be
performed in parallel. The decryption and verication steps, however, must
be performed sequentially.
The main problem with encrypt-and-sign is that it does not provide
indistinguishability. This is because an adversary can check whether a given
message m corresponds to a given ciphertext (e, s) by running Ver
VK
A
(m, s).
Encrypt-and-sign does, however, provide non-repudiation. The recipient of
a message (e, s) simply computes m Dec
DK
B
(e) and then sends (m, s) to
the verier.
3.6 Improvements on Encrypt-and-Sign
An, Dodis, and Rabin [1] solved the problem of indistinguishability in c&o
by adding a commitment step, resulting in commit-then-encrypt-and-sign or
(tc&o. Besides providing indistinguishability, (tc&o also improves upon
c&o in that it allows the decryption and verication steps to be performed
in parallel.
Pieprzyk and Pointcheval [12] subsequently improved upon (tc&o by
replacing the commitment portion with a Shamir secret-sharing scheme.
Their scheme has the added advantage that the encryption and signature
schemes it depends on need only satisfy very weak security requirements.
We do not consider these schemes in detail, and instead move on to other
classes of signcryption schemes.
28
Chapter 4
Signcryption in the Discrete
Logarithm Setting
In this chapter, we examine a class of signcryption schemes which are built
from signature schemes in the discrete logarithm setting.
4.1 Notation
Before describing particular schemes, we x some notation which is common
to all of them.
(p, q, g) parameters dening a multiplicative subgroup of Z
p
, with
order q and generator g. That is, p is a large prime, q is a large prime
factor of p 1, and g [1, . . . , p 1] has order q.
In practice p and q are chosen so that solving the discrete logarithm
problem using the index calculus algorithm in Z
p
takes about the same
amount of time as solving it in the subgroup generated by g using
Pollards rho algorithm. Typical sizes for p and q are 1024 and 160
bits respectively.
In encryption and signature schemes, these values can typically be cho-
sen independently by each user. However, in the signcryption schemes
in this chapter, (p, q, g) are common to all users.
(x
A
, y
A
) and (x
B
, y
B
) the key pairs of the sender and recipient
respectively. These key pairs are generated using the following key
generation algorithm, which is common to all signature and signcryp-
29
tion schemes in this chapter. A user U generates his key pair (x
U
, y
U
)
by doing:
1. x
U

R
[1, . . . , q 1]
2. y
U
g
x
U
mod p.
The value x
U
is the private key, while y
U
is the public key.
Since this key generation algorithm is common to all schemes in this
chapter, we specify only Sig and Ver when describing signature schemes,
and SigEnc and VerDec when describing signcryption schemes. We take
both Sig-KeyGen(1
k
) and KeyGen(1
k
) to be the above algorithm, with
the security parameter k being the length (in bits) of p.
(E, D) the encryption and decryption algorithms of a private-key
encryption scheme. This scheme must be deterministic and secure
against chosen plaintext attacks. For example, triple-DES or IDEA
could be used in the CBC mode of operation.
G, H hash functions, each of which maps from 0, 1

to 0, 1
l
for
some l. (The length parameter l need not be the same for G and H.)
They are assumed to behave like random oracles
1
for the purpose of
security proofs.
4.2 Zhengs Original Scheme
In 1997, Zheng eectively launched the study of signcryption by giving a
pair of signcryption schemes which are signicantly more ecient than otc
both in terms of computation and message expansion [15]. These schemes
have served as a template for several other signcryption schemes, including
those presented in this chapter.
Here we present the rst of Zhengs signcryption schemes. It is based
on a shortened version of the Digital Signature Standard known as SDSS1
(Shortened Digital Signature Standard). This signature scheme is dened
as follows:
Sig(m):
1
A random oracle is a theoretical model of a perfect cryptographic hash function.
Given a new input x {0, 1}

, it chooses an output y {0, 1}

l
uniformly at random.
Given a previously seen input, it returns the same output it previously chose. For more
information, see Bellare and Rogaway [4].
30
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. r H(k[[m)
4. s x/(r + x
A
) mod q
5. Return (m, r, s).
Ver(m, r, s):
1. k (y
A
g
r
)
s
mod p
2. If r = H(k[[m) return succeed else return fail.
This particular signature scheme was chosen by Zheng because the value k
can be computed by the recipient without knowing the message m.
Now we can dene Zhengs signcryption scheme
2
:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. K y
x
B
mod p
3. K
enc
G(K)
4. c E
Kenc
(m)
5. r H(m[[y
A
[[y
B
[[K)
6. s x/(r + x
A
) mod q
7. Return (c, r, s).
VerDec(c, r, s, ID
A
, ID
B
):
1. K (y
A
g
r
)
sx
B
mod p
2. K
enc
G(K)
3. m D
Kenc
(c)
4. If r = H(m[[y
A
[[y
B
[[K) return m, else return .
This scheme is the result of making the following modications to SDSS1:
1. In the signcryption algorithm, the computation k g
x
mod p is re-
placed by K y
x
B
mod p, and the corresponding change is made in
the de-signcryption algorithm. This change ensures that only the in-
tended recipient can compute K.
2. The message m is hidden by encrypting it, using G(K) as the sym-
metric encryption key.
2
This version of Zhengs scheme is not the one originally presented by Zheng [15], but
a slightly modied version used by Baek, Steinfeld, and Zheng [2] in their formal security
proof.
31
3. The computation r H(k[[m) is replaced by r H(m[[y
A
[[y
B
[[K),
which binds the signcryption to the identities of the sender and recip-
ient, in order to achieve security in the multi-user setting.
The main advantage of Zhengs scheme is that it requires signicantly
less computation than traditional signcryption techniques such as otc. To
see this, note that Zhengs scheme requires only one modular exponentiation
for signcryption, and two modular exponentiations for de-signcryption. In
comparison, otc requires three modular exponentiations both for signcryp-
tion and for de-signcryption, when using Schnorr signatures and ElGamal
encryption.
Zhengs scheme also has an advantage in terms of communication over-
head, expanding messages by only [ H()[ + [q[ bits, compared to [ H()[ +
[q[ +[p[ in the case of otc with Schnorr signatures and ElGamal encryption.
This dierence is quite signicant, since [p[ is typically much larger than
[ H()[ and [q[. It becomes even more signicant when Zhengs scheme is
compared with otc

, which expands messages by [ H()[ + [q[ + [p[ + [ID

A
[
bits, with the extra [ID
A
[ coming from the fact that ID
A
is appended before
the encryption step. ID
A
is typically around the same length as H().
Security
Zhengs scheme provides past recovery, since the sender of a message (c, r, s)
can compute x = s(r + x
A
) mod q, and thus K = y
x
B
mod p, and then per-
form the remaining steps of VerDec as in the denition. Of course, this
implies that the scheme does not provide condentiality in the insider secu-
rity model.
Baek, Steinfeld, and Zheng [2] have given a formal security proof for
this scheme. Before proceeding to their results, we briey look at the hard
problems upon which they are based. They are as follows:
Computational Die-Hellman Problem (CDHP): For a, b Z

q
,
given g, g
a
, and g
b
, compute g
ab
.
Decisional Die-Hellman Problem (DDHP): For a, b, c Z

q
,
given g, g
a
, g
b
, and g
c
, decide whether c ab (mod q).
Gap Die-Hellman Problem (GDHP): Solve CDHP, given an
oracle to solve DDHP.
Note that the computational and decisional Die-Hellman problems have
been well studied, while less is known about the more recent gap Die-
Hellman problem, thus casting some doubt on security proofs based upon
32
it. Further details about the gap Die-Hellman problem can be found in
Okamoto and Pointcheval [9].
Now we return to the results of Baek et al. They prove that Zhengs
scheme provides condentiality in a sense slightly weaker than IND-CCA2-
security in the outsider model, under the assumption that the gap Die-
Hellman problem is hard. They show that it provides authenticity in a
sense slightly weaker than UF-CMA-security in the insider model, under the
assumption that the computational Die-Hellman problem is hard. In both
cases, the dierence between their model and the one presented here is that
the signcryption oracle is SigEnc(, ID
A
, ID
B
), rather than SigEnc(, ID
A
, ).
That is, the adversary does not get to choose the recipient when asking for
the signcryption of a message. (The de-signcryption oracle, however, is left
unchanged.)
4.3 Adding Non-Repudiation
Zhengs original scheme did provide a mechanism for non-repudiation. How-
ever, Petersen and Michels [11] showed that this mechanism compromises the
condentiality of the system. To overcome this problem, Bao and Deng [3]
modied Zhengs scheme, giving the following signcryption scheme
3
:
SigEnc(m, ID
A
, ID
B
):
* 1. x
R
[1, . . . , q 1]
* 2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
* 6. r H(k[[m[[y
A
[[y
B
)
* 7. s x/(r + x
A
) mod q
8. Return (c, r, s).
VerDec(c, r, s, ID
A
, ID
B
):
* 1. k (y
A
g
r
)
s
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
* 5. If r = H(k[[m[[y
A
[[y
B
) return m, else return .
3
In fact, Bao and Deng specied r H(m||yA||yB||k) in step 6, but we move k to the
beginning here to allow for SDSS1-veriability.
33
This scheme is very similar to Zhengs, except for the following changes:
1. The computations k g
x
mod p and k (y
A
g
r
)
s
mod p from the
original SDSS1 signature scheme are added back.
2. The computation r H(m[[y
A
[[y
B
[[K) is replaced by
r H(k[[m[[y
A
[[y
B
).
Thanks to these changes, the steps of SigEnc with asterisks (*) are precisely
the signature algorithm of SDSS1, when signing the message m[[y
A
[[y
B
.
Similarly, the steps of VerDec with asterisks are precisely the verication
algorithm of SDSS1, when verifying the same message. Thus to achieve non-
repudiation, the recipient of a message (c, r, s, ID
A
, ID
B
) can simply compute
m as in VerDec, and then send (m[[y
A
[[y
B
, r, s) to the verier, who then
veries that this is a valid SDSS1 signature using As public key. Thus this
is an SDSS1-veriable signature scheme.
In this scheme, signcryption requires two modular exponentiations, while
de-signcryption requires three. Thus most of the computational advantage
of Zhengs scheme over otc has been lost. However, the advantage in com-
munication overhead remains, since the overhead of Bao and Dengs scheme
is [ H()[ +[q[ bits, as with Zhengs scheme.
Note that this scheme provides insider security against UF-CMA attacks
as long as SDSS1 is UF-CMA-secure
4
. To see this, suppose there exists an
adversary / which can break its UF-CMA-security with non-negligible prob-
ability. Then we can construct an adversary /

which breaks the UF-CMA-

security of SDSS1 with the same probability and in the same time. After
receiving a public key y
A
, /

does:
1. (c, r, s, ID
B
) /(y
A
)
2. m VerDec(c, r, s, ID
A
, ID
B
)
3. Return (m[[y
A
[[y
B
, r, s).
Note that /

can perform step 2 since it has access to x

B
. (We assume that
whatever key pairs and identities are generated by / are made available to
/

as well.)
Unfortunately, this scheme does not provide IND-CCA2 security, since an
adversary can easily determine which of two messages m
0
, m
1
corresponds to
a challenge ciphertext (c, r, s, ID
A
, ID
B
) checking which of (m
0
[[y
A
[[y
B
, r, s)
or (m
1
[[y
A
[[y
B
, r, s) is a valid SDSS1 signature.
4
Zheng [15] claims that SDSS1 can be proven UF-CMA-secure by adapting the argument
of Pointcheval and Stern [13] for the Schnorr signature scheme.
34
4.4 A DSA-Veriable Scheme
Shin, Lee, and Shim [14] observed that Bao and Dengs method could be
used to construct signcryption schemes from an entire class of ElGamal-type
signature schemes; namely, those for which k = g
x
mod p can be computed
by the recipient of a signature, without knowing the message m. Suppose
that o is such a signature scheme. Then the corresponding o-veriable
signcryption scheme is:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. Compute As signature s Sig(m[[y
A
[[y
B
) using the values x
and k from above.
7. Return (c, s).
VerDec(c, s, ID
A
, ID
B
):
1. Compute k = g
x
mod p as specied by o.
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
5. Compute a Ver(m[[y
A
[[y
B
, s) using the value k = g
x
mod p
computed in step 1.
6. If a = succeed return m, otherwise return .
To achieve non-repudiation, the recipient of a message (c, s) simply computes
m as in VerDec, then sends (m[[y
A
[[y
B
, s) to the verier, who then veries
that this is a valid signature using o.
This indeed generalizes Bao and Dengs scheme, since their scheme re-
sults from applying the above construction to SDSS1.
One would like to apply this construction to the widely-used Digital
Signature Algorithm (DSA), which is dened as follows:
Sig(m):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. r k mod q
35
4. h H(m)
5. s (h + x
A
r)/x mod q
6. Return (m, r, s).
Ver(m, r, s):
1. h H(m)
2. e
1
h/s mod q
3. e
2
r/s mod q
4. k g
e
1
y
e
2
A
mod p
5. If r = k mod q return succeed, else return fail.
Unfortunately, DSA does not satisfy the requirement that k = g
x
mod p can
be computed without knowing the message m, so the construction cannot
be directly applied to DSA. However, Shin, Lee, and Shim were able to
overcome this problem by introducing a modied version of DSA called
MDSA:
Sig(m):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. r k mod q
4. h H(m)
5. s (h + x
A
r)/x mod q
6. e
1
h/s mod q
7. e
2
r/s mod q
8. Return (m, e
1
, e
2
).
Ver(m, e
1
, e
2
):
1. h H(m)
2. k g
e
1
y
e
2
A
mod p
3. r k mod q
4. s r/e
2
mod q
5. If e
1
s h mod q return succeed, else return fail.
MDSA is essentially the same as DSA, except that the computation of e
1
and
e
2
has been moved from Ver to Sig, and Ver has been adjusted accordingly.
36
Note that in step 2 the verier computes
k = g
e
1
y
e
2
A
mod p
= g
h/s
g
x
A
(r/s)
mod p
= g
(h+x
A
r)/s
mod p
= g
(h+x
A
r)/((h+x
A
r)/x)
mod p
= g
x
mod p
without using the message m. Thus the generalized construction of Bao and
Deng can be applied to MDSA.
Further, MDSA is strongly equivalent to DSA. By this, we mean that a
valid MDSA signature can be eciently converted to a valid DSA signature
and vice versa, without using the private key. The following is a restatement
of the theorem and proof given by Shin, Lee, and Shim [14], with missing
details lled in by the author.
Theorem 4.1. MDSA is strongly equivalent to DSA.
Proof. Suppose that (m, e
1
, e
2
) is a valid MDSA signature. That is, e
1
s h
(mod q), where s = ((g
e
1
y
e
2
A
mod p) mod q)/e
2
mod q and h = H(m). Then
(m, , ) is a valid DSA signature, where = (g
e
1
y
e
2
A
mod p) mod q and
= /e
2
mod q, since
e
1
s h (mod q)
e
1
(/e
2
) H(m) (mod q)
e
1
H(m) (mod q)
e
1
H(m)/ (mod q)
g
e
1
g
H(m)/
(mod p)
g
e
1
y
e
2
A
g
H(m)/
y
e
2
A
(mod p)
g
e
1
y
e
2
A
g
H(m)/
y
/
A
(mod p)
= (g
e
1
y
e
2
A
mod p) mod q = (g
H(m)/
y
/
A
mod p) mod q.
This last condition is precisely what DSAs verication algorithm checks to
determine whether (m, , ) is a valid signature.
Now suppose that (m, r, s) is a valid DSA signature. That is, r = (g
e
1

y
e
2
A
mod p) mod q, where e
1
= H(m)/s mod q and e
2
= r/s mod q. Then
(m, , ) is a valid MDSA signature, where = H(m)/s mod q and =
37
r/s mod q, since
r (g
e
1
y
e
2
A
mod p) (mod q)
r (g

A
mod p) (mod q)
(/) r (/) (g

A
mod p) (mod q)

H(m)/s
r/s

r ((g

A
mod p)/) (mod q)
H(m) = (((g

A
mod p) mod q)/ mod q) (mod q).
This last condition is precisely what MDSAs verication algorithm checks
to determine whether (m, , ) is a valid signature.
It is easy to see that if two signature schemes are strongly equivalent,
then they have the same security properties. Thus if DSA is UF-CMA-secure,
then so is MDSA. At present, it has not been proven that DSA is UF-CMA-
secure, but it is widely used in practise, and no signicant security aws are
known.
By applying the generalized technique of Bao and Deng to MDSA, we get
an MDSA-veriable signcryption scheme. Then using the strong equivalence
of MDSA and DSA, we can easily modify the non-repudiation procedure to
get the following DSA-veriable signcryption scheme:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. r k mod q
7. h H(m[[y
A
[[y
B
)
8. s (h + x
A
r)/x mod q
9. e
1
h/s mod q
10. e
2
r/s mod q
11. Return (c, e
1
, e
2
).
VerDec(c, e
1
, e
2
, ID
A
, ID
B
):
1. k g
e
1
y
e
2
A
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
38
4. m D
Kenc
(c)
5. h H(m[[y
A
[[y
B
)
6. r k mod q
7. s r/e
2
mod q
8. If e
1
s h mod q return m, else return .
To achieve non-repudiation, the recipient sends (m[[y
A
[[y
B
, r, s) to the ver-
ier, where m, r, and s are the values computed in VerDec. If (c, e
1
, e
2
,
ID
A
, ID
B
) is a valid signcryption, then (m[[y
A
[[y
B
, e
1
, e
2
) is a valid MDSA
signature, and thus (m[[y
A
[[y
B
, r, s) is a valid DSA signature, as shown in
Theorem 4.1.
Unfortunately, this scheme does not provide IND-CCA2 security. As with
Bao and Dengs scheme, an adversary can easily determine which of two
messages m
0
, m
1
corresponds to a challenge ciphertext (c, e
1
, e
2
, ID
A
, ID
B
)
checking which of (m
0
[[y
A
[[y
B
, e
1
, e
2
) or (m
1
[[y
A
[[y
B
, e
1
, e
2
) is a valid MDSA
signature. To solve this problem, Shin, Lee, and Shim propose a slightly
modied version of the scheme called SC-DSA+. It is dened as follows:
SigEnc(m, ID
A
, ID
B
):
1. x
R
[1, . . . , q 1]
2. k g
x
mod p
3. K y
x
B
mod p
4. K
enc
G(K)
5. c E
Kenc
(m)
6. r k mod q
7. h H(m[[y
A
[[y
B
[[K)
8. s (h + x
A
r)/x mod q
9. e
1
h/s mod q
10. e
2
r/s mod q
11. Return (c, e
1
, e
2
).
VerDec(c, e
1
, e
2
, ID
A
, ID
B
):
1. k g
e
1
y
e
2
A
mod p
2. K k
x
B
mod p
3. K
enc
G(K)
4. m D
Kenc
(c)
5. r k mod q
6. s r/e
2
mod q
7. h H(m[[y
A
[[y
B
[[K)
39
8. If e
1
s h mod q return m else return .
To achieve non-repudiation, the recipient of a message simply computes
m, r, s, and K as in VerDec, and sends (m[[y
A
[[y
B
[[K, r, s) to the verier,
who then veries that this is a valid DSA signature using As public key.
This scheme is precisely the same as the previous one, except that the
step h H(m[[y
A
[[y
B
) has been changed to h H(m[[y
A
[[y
B
[[K). This
prevents the previous simple attack on IND-CCA2 security, since an outsider
adversary cannot eciently compute the value K.
As with Bao and Dengs scheme in Section 4.3, it is straightforward
that SC-DSA+ is UF-CMA-secure in the insider model as long as MDSA (or
equivalently, DSA) is UF-CMA-secure. The proof of condentiality for SC-
DSA+ is simply an adaptation of the proof for Zhengs original scheme, and
uses the same security model. That is, SC-DSA+ provides condentiality
in a sense slightly weaker than IND-CCA2-security in the outsider model.
Note that this scheme provides past recovery, since the sender of a mes-
sage (c, e
1
, e
2
, ID
A
, ID
B
) can compute:
1. k g
e
1
y
e
2
A
mod p
2. r k mod q
3. s r/e
2
mod q
4. h e
1
s mod q
5. x (h + x
A
r)/s mod q
6. K y
x
B
mod p
7. K
enc
G(K)
8. m D
Kenc
(c).
40
Chapter 5
Signcryption from Trapdoor
Permutations
5.1 Trapdoor Permutation Families
Trapdoor permutations are an important building block of public-key cryp-
tography. A trapdoor permutation is simply a permutation f : S S on
some nite set S, which can be eciently evaluated by anyone, but whose
inverse permutation f
1
: S S can only be eciently evaluated by using
some secret trapdoor information.
5.1.1 Syntax
More formally, we dene a trapdoor permutation family as a triple of algo-
rithms (Trap-Gen, Eval, Invert):
Trap-Gen is a randomized algorithm which accepts 1
k
, where k is a
security parameter, and outputs a pair (f, f
1
), where f is a per-
mutation over some set S and f
1
is its inverse permutation. This
operation is denoted by (f, f
1
) Trap-Gen(1
k
).
Eval is a deterministic algorithm which accepts a permutation f gen-
erated by Trap-Gen, as well as some x S, where S is the set over
which f is dened. It outputs some y S. This operation is denoted
by y Eval(f, x), or simply y f(x).
Invert is a deterministic algorithm which accepts some f
1
generated
by Trap-Gen and some y S, where S is the set over which f is
41
dened. It outputs some x S. This operation is denoted by x
Invert(f
1
, y), or simply x f
1
(y).
We require that f
1
(f(x)) = x for all x, and for all pairs (f, f
1
) generated
by Trap-Gen. This ensures both that f is a permutation, and that f
1
is
the inverse permutation of f.
5.1.2 Security
As was the case for encryption, signature, and signcryption schemes, we
dene the security of a trapdoor permutation family in terms of the goal
and capabilities of an adversary.
We will take the goal of the adversary to be inverting a randomly chosen
element. To achieve this goal, the adversary / must win the following game:
1. (f, f
1
) Trap-Gen(1
k
)
2. y
R
S (where S is the set over which f is dened)
3. x /(f, y).
/ wins in the case that x = f
1
(y). As for the capabilities of the adversary,
we only give it access to the permutation f. We require that a trapdoor
permutation family satisfy Pr[/ wins] < negl(k) for any such adversary /.
Note that we have chosen a particularly strong goal for the adversary, and
given it particularly weak capabilities. (A weaker goal would, for example,
be one which required / to determine only some information about x from
y. Stronger capabilities could include access to an oracle for f
1
.) This
means that the security level provided by a trapdoor permutation family is
quite weak. However, it is still possible to build strongly secure encryption
and signature schemes from trapdoor permutation families. As we will see in
this chapter, it is also possible to build strongly secure signcryption schemes
from them. Thus their weak notion of security is an advantage, making
them easier to construct and analyze.
5.1.3 Examples
The most commonly used trapdoor permutation family is RSA, which is
dened as follows:
Trap-Gen(1
k
):
1. Choose two random k-bit primes, p and q.
2. n p q
42
3. (n) (p 1) (q 1)
4. Choose e such that 1 < e < (n) and e is coprime to (n).
5. Compute d such that 1 < d < (n) and d e 1 (mod (n)).
6. Return ((e, n), (d, n)).
Eval((e, n), x):
1. Return y x
e
mod n.
Invert((d, n), y):
1. Return x y
d
mod n.
Note that it is not yet known whether RSA is in fact a trapdoor permutation
family, because it has not been proven to satisfy the security requirement
dened above, even under the well-accepted assumption that factoring n
is intractable. However, there are other families which have been proven
secure, such as that of Paillier [10], which has been shown to be secure
under the assumption that factoring is hard.
5.2 Cryptography from Trapdoor Permutations
Originally, trapdoor permutations were used directly as encryption and sig-
nature schemes. For example, to encrypt a message m for a recipient B,
one would simply compute c = f
B
(m), where f
B
is Bs trapdoor function.
Of course, the recipient would then compute m = f
1
B
(c) using his secret
trapdoor information. Unfortunately, this simple scheme does not provide
indistinguishability, since anyone can distinguish between f(m
0
) and f(m
1
),
for any m
0
and m
1
. Similarly, to sign a message m, a sender A would sim-
ply compute s = f
1
A
(m), and then anyone could verify that f
A
(s) = m.
However, this does not provide unforgeability, since any user can compute
valid message/signature pairs (f
A
(s

), s

) for any s

.
The solution to both of these problems is to rst apply a padding function
to the message, then apply the trapdoor permutation to some or all of the
padded message. Thus a trapdoor-based encryption scheme typically looks
like:
Enc-KeyGen(1
k
) :
1. (f, f
1
) Trap-Gen(1
k
)
2. Return (f, f
1
).
Enc(m):
1. m

Enc-Pad(m)
43
2. Return c f
B
(m

).
Dec(c):
1. m

f
1
B
(c)
2. Return m Enc-Depad(m

).
Likewise, a trapdoor-based signature scheme typically looks like:
KeyGen(1
k
) :
1. (g, g
1
) Trap-Gen(1
k
)
2. Return (g
1
, g).
Sig(m):
1. m

Sig-Pad(m)
2. s g
1
A
(m

)
3. Return (m, s).
Ver(m, s):
1. m

Sig-Pad(m)
2. m

g
A
(s)
3. If m

= m

return succeed else return fail.

Since there are many such encryption and signature schemes based on
trapdoor permutations, for example OAEP and PSS-R, it would be pos-
sible to build signcryption schemes from them using the generic otc

and
cto

constructions from Chapter 3. However, this approach has several

drawbacks. To see this, let us consider the key generation and signcryption
functions in the case of otc

:
KeyGen(1
k
) :
1. (f, f
1
) Enc-KeyGen(1
k
)
2. (g
1
, g) Sig-KeyGen(1
k
)
3. Return ((g
1
, f
1
), (g, f)).
SigEnc(m, ID
A
, ID
B
):
1. m

Sig-Pad(m[[ID
B
)
2. s g
1
A
(m

)
3. s

Enc-Pad(m[[s[[ID
A
)
4. u f
B
(s

)
5. Return (u, ID
A
, ID
B
).
This scheme has the following drawbacks:
44
Each user must maintain two distinct trapdoor permutations: one for
encrypting (f), and one for signing (g).
Two padding steps are required; one for encryption, and one for sig-
nature. Since padding steps generally lengthen their inputs, this un-
necessarily lengthens the input to the second trapdoor permutation,
as well as the nal ciphertext output.
The identity of the recipient is appended before signing, and the iden-
tity of the sender is appended before encrypting. This unnecessarily
lengthens the inputs to the trapdoor permutations, as well as the nal
ciphertext output.
Dodis, Freedman, Jarecki, and Walsh [5] have proposed a series of
trapdoor-based signcryption schemes which addresses all three of these prob-
lems. Their schemes require each user to maintain only a single trapdoor
permutation, which is used to achieve both condentiality and authenticity.
Only a single padding step is required, which is applied just before the trap-
door permutations of the sender and recipient. The identities of the sender
and recipient are fed in as inputs to the padding step, but do not lengthen
its output. Abstractly, their schemes all have the following pattern:
KeyGen(1
k
):
1. (f, f
1
) Trap-Gen(1
k
)
2. Return (f
1
, f).
SigEnc(m, ID
A
, ID
B
):
1. m

Pad(m, ID
A
, ID
B
)
2. Apply f
B
and f
1
A
to m

, to get u.
3. Return u.
VerDec(u, ID
A
, ID
B
):
1. Apply f
1
B
and f
A
to u, to get m

.
2. m Depad(m

, ID
A
, ID
B
).
3. Return m.
The trapdoor functions f
A
and f
B
are each dened over the set 0, 1
l
for
some l. (Most often both f
A
and f
B
will use the same value of l.)
First we consider step 2 of the signcryption function, where the trapdoor
permutations are applied. Since two trapdoor permutations are involved,
there are several ways in which they can be applied. Dodis et al. [5] consider
the following three ways, which they call modes of operation. Each of them
considers m

as two parts, w and s. That is, m

= (w[[s).
45
Parallel mode: u f
B
(w)[[f
1
A
(s). This mode has the advantage that
the two trapdoor permutations can be applied in parallel, but the
disadvantage that the minimum ciphertext length is twice the output
size of the trapdoor permutations. A further advantage is that f
A
and
f
B
can be of dierent lengths.
Sequential mode: u f
B
(f
1
A
(w[[s)). In this case, the trapdoor per-
mutations must be applied sequentially, but the minimum ciphertext
length is half that of the parallel method.
Extended sequential mode: u f
B
(f
1
A
(w))[[s. This mode is a slight
modication of the sequential mode. Its minimum ciphertext length
is only slightly longer than that of the sequential method (since s can
be chosen to be very short), while it admits a much tighter security
proof.
Next we turn our attention to the padding step of the signcryption func-
tion. As it turns out, there is a single padding scheme which can be used
with all three of the above modes (parallel, sequential, and extended sequen-
tial) by simply adjusting some parameters. It is the second of two so-called
Probabilistic Signature and Encryption Paddings given by Dodis et al. [5],
and thus called PSEP2. It is dened as follows:
Pad(m, ID
A
, ID
B
):
1. (m
1
[[m
2
) m
2. r
R
0, 1
|d||m
2
|
3. c (m
1
K(r)) [[ K

(m
2
[[r)
4. d (m
2
[[r)
5. w d G(ID
A
[[ID
B
[[c)
6. s c H(w)
7. Return (w, s).
Depad(w, s, ID
A
, ID
B
):
1. c s H(w)
2. d w G(ID
A
[[ID
B
[[c)
3. (m
2
[[r) d
4. ([[) c
5. If = K

(m
2
[[r) continue, else return .
6. m
1
K(r)
7. Return m (m
1
[[m
2
).
46
Note that steps 2 through 4 of the padding operation (and steps 3 through 6
of the de-padding operation) constitute a commitment scheme, while steps
5 and 6 of the padding operation (and steps 1 and 2 of the de-padding
operation) are simply two rounds of a Feistel Transform applied to (d, c)
with round functions G(ID
A
[[ID
B
[[c) and H(w).
The parameters which may be adjusted are [m
1
[, [m
2
[, [c[, and [d[. These
must be adjusted in accordance with the level of security desired, the lengths
of f
A
and f
B
, and the mode of operation being used.
Note that PSEP2 is only able to handle messages of length up to [m
1
[ +
[m
2
[, which is typically a small value. In some applications, such as key
transport, this may not be a problem. However, in other applications such
as email, messages of arbitrary length must be handled. Dodis et al. [5] have
provided a simple solution to this problem. They propose using a private
key encryption scheme (E, D) to encrypt the message m under a randomly-
chosen key K
enc
, then signcrypting K
enc
as before. One small modication
is necessary; namely, to prevent the ciphertext from tampering we include
it in the hash computation in step 5 of the padding operation and step 2 of
the de-padding operation. This gives the following signcryption scheme:
SigEnc(m, ID
A
, ID
B
):
1. Choose a symmetric encryption key K
enc
at random.
2. c

E
Kenc
(m)
3. (m
1
[[m
2
) K
enc
4. r
R
0, 1
|d||m
2
|
5. c (m
1
K(r)) [[ K

(m
2
[[r)
6. d (m
2
[[r)
7. w d G(c

[[ID
A
[[ID
B
[[c)
8. s c H(w)
9. Apply f
B
and f
1
A
to (w, s) to get u.
10. Return (c

, u).
VerDec(c

, u, ID
A
, ID
B
):
1. Apply f
1
B
and f
A
to u to get (w, s).
2. c s H(w)
3. d w G(c

[[ID
A
[[ID
B
[[c)
4. (m
2
[[r) d
5. ([[) c
6. If = K

(m
2
[[r) continue, else return .
7. m
1
K(r)
47
8. K
enc
(m
1
[[m
2
)
9. Return m D
Kenc
(c

).
In fact, this denes three dierent signcryption schemes, since the mode of
operation (parallel, sequential, or extended sequential) is not specied.
5.3 Properties of PSEP2
PSEP2 has several advantages over other signcryption schemes we have seen
so far. First of all, it provides the highest possible levels of security, namely
IND-CCA2 and sUF-CMA in the insider security model.
Another advantage is that PSEP2 can be used as a plain encryption
or signature scheme. By replacing f
A
with the identity permutation, it
becomes an IND-CCA2-secure encryption scheme, and by replacing f
B
with
the identity permutation, it becomes an sUF-CMA-secure signature scheme.
Here we will call these schemes PSEP2-ENC and PSEP2-SIG, respectively.
Dodis et al. [5] did not explicitly consider non-repudiation, but it turns
out that we can easily add it to PSEP2. To see this, consider the three
possible trapdoor steps:
u f
B
(w)[[f
1
A
(s) (Parallel mode)
u f
B
(f
1
A
(w[[s) (Sequential mode)
u f
B
(f
1
A
(w))[[s (Extended sequential mode)
Note that in each case, the recipient can apply f
1
B
to the appropriate part
of the ciphertext, thereby replacing f
B
with the identity permutation and
giving a valid PSEP2-SIG signature. That is, PSEP2 is a PSEP2-SIG-
veriable signcryption scheme, and thus provides non-repudiation.
Note that PSEP2 does not provide a signicant computational advantage
over trapdoor-based otc

(or cto

) since both require two trapdoor opera-

tions. In fact, it is easy to see that we cannot hope to do better; clearly
the senders trapdoor permutation is needed for authenticity, and the recipi-
ents for condentiality. However, even though the total computational cost
cannot be signicantly reduced, the parallel mode of PSEP2 does allow the
two trapdoor permutations to be applied in parallel, which could reduce the
computation time by half.
One further advantage of the parallel mode over the other two is that it
allows f
A
and f
B
of diering lengths. That is, each user can independently
choose the length of his keys. When using the other two modes, all users
must agree upon a common key length.
48
Chapter 6
Comparison
In this chapter we compare the signcryption schemes which were presented
in the previous chapters.
6.1 Cost of Signcryption
One of the possible ways to compare signcryption schemes is in terms of
their computational and communication overhead. However, there are a
number of factors which could make such a comparison dicult to carry
out, and even misleading. For example, the results of such a comparison
could depend on:
the choice of underlying encryption and signature schemes or trapdoor
permutation family;
the length of messages to be signcrypted;
the level of security desired; and
the number of oracle queries allowed to a potential adversary.
For this reason we will not attempt such a comparison here. It is worthwhile,
however, to consider how much of an improvement signcryption can possibly
provide. Since signcryption combines the functionalities of signature and
encryption schemes, we would not expect it to perform better than either
of them. This is indeed the case, since any signcryption scheme can be
converted into an encryption scheme and a signature scheme, both of which
have the same computational and communication overhead as the original
signcryption scheme, and which satisfy the same security properties. These
49
induced encryption and signature schemes were rst introduced by An,
Dodis, and Rabin [1], and are dened as follows:
Denition 6.1. Let o( be a signcryption scheme. Then the induced en-
cryption scheme of o( is given by:
Enc-KeyGen(1
k
):
1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
3. pub VEK
A
, VEK
B

4. Return (EK, DK) (SDK

A
, pub, SDK
B
, pub).
Enc
EK
(m):
1. Return c SigEnc
SDK
A
,VEK
B
(m).
Dec
DK
(c):
1. Return m VerDec
VEK
A
,SDK
B
(c).
Denition 6.2. Let o( be a signcryption scheme. Then the induced signa-
ture scheme of o( is given by:
Sig-KeyGen(1
k
):
1. (SDK
A
, VEK
A
) KeyGen(1
k
)
2. (SDK
B
, VEK
B
) KeyGen(1
k
)
3. pub VEK
A
, VEK
B

4. Return (SK, VK) (SDK

A
, pub, SDK
B
, pub).
Sig
SK
(m):
1. Return s SigEnc
SDK
A
,VEK
B
(m).
Ver
VK
(s):
1. If VerDec
VEK
A
,SDK
B
(s) = return fail, else return succeed.
While these induced schemes do give a lower bound for the cost of sign-
cryption, they are not especially useful in practice, since their key sizes are
much larger than those of the original signcryption scheme.
Of course there is no upper bound on the cost of signcryption, but it
would make little sense to consider signcryption schemes with overhead sig-
nicantly greater than the overhead of the traditional sign-then-encrypt ap-
proach. Since otc

provides a very strong level of security, as well as non-

repudiation, it makes sense to gauge other signcryption schemes against it.
50
The computational cost of otc

is simply the sum of the costs for its

underlying encryption and signature schemes. Informally then, we have
Cost(Encryption), Cost(Signature) Cost(Signcryption)
Cost(Encryption) + Cost(Signature).
This implies that we cannot expect any signcryption scheme to oer more
than a two-fold improvement in computational cost over otc

.
With respect to communication overhead, there is a bit more room for
improvement. This is because the ciphertext is lengthened not only by the
signature and encryption steps, but also by the senders identity, which is
appended before encryption. If the identity is hashed to minimize its length,
then we have
Cost(Encryption), Cost(Signature) Cost(Signcryption)
Cost(Encryption) + Cost(Signature) +[ H()[.
Here we can assume that [ H()[ is less than the overhead introduced by the
encryption and signature steps, so we certainly cannot expect more than a
three-fold improvement in communication overhead over otc

.
6.2 Comparison Charts
Now we turn our attention to those features which can be more easily com-
pared. In Table 6.1 we look at the levels of security provided by each of
the proposed signcryption schemes. In the table, the less-than symbol (<)
indicates that a slightly weaker security level is achieved, as explained in
Section 4.2. Question marks (???) indicate that the problem has not been
explicitly considered (although in these cases it is known that indistinguisha-
bility is not provided), while a dash () indicates that no security is pro-
vided.
Here PSEP2 is the clear winner, with all three of its modes of operation
providing a better level of security than even cto

and otc

. PSEP2 has the

further advantage that it achieves this level of security while requiring only
trapdoor permutations, which are relatively easy to construct. cto

and
otc

provide quite good security, but only if the underlying encryption and
signature schemes do as well. Bao and Dengs scheme and SC-DSA+ are in
a similar situation, since their UF-CMA security depends on the unproven
assumption that DSA is UF-CMA-secure.
51
Outsider Security Insider Security
Conf. Auth. Conf. Auth.
cto

IND-gCCA2 sUF-CMA IND-gCCA2 sUF-CMA

otc

IND-CCA2 UF-CMA IND-CCA2 UF-CMA

c&o ??? sUF-CMA ??? sUF-CMA
Zheng < IND-CCA2 < UF-CMA < UF-CMA
Bao & Deng ??? UF-CMA UF-CMA
SC-DSA+ < IND-CCA2 UF-CMA UF-CMA
PSEP2 IND-CCA2 sUF-CMA IND-CCA2 sUF-CMA
Table 6.1: Security Comparison
Non-rep. Sig. Ver. F. Sec. / P. Rec. Parallel
otc

Yes Yes, any Forward Secrecy

cto

Forward Secrecy
c&o Yes Yes, any Forward Secrecy SC
Zheng Past Recovery
Bao & Deng Yes Past Recovery SC
SC-DSA+ Yes Yes, DSA Past Recovery SC
PSEP2 (P) Yes Yes, PSEP2-SIG Forward Secrecy SC, DSC
PSEP2 (S) Yes Yes, PSEP2-SIG Forward Secrecy
PSEP2 (X) Yes Yes, PSEP2-SIG Forward Secrecy
Table 6.2: Feature Comparison
In Table 6.2 we look at which properties are oered by each of the
signcryption schemes. The rst column indicates whether a secure non-
repudiation mechanism is available. The second column indicates whether
the signcryption scheme is o-veriable, and if so, for which signature scheme.
The third column indicates which of forward secrecy or past recovery is
provided. The last column indicates whether the signcryption (SC) or de-
signcryption (DSC) steps can be parallelized. The letters (P, S, X) beside
PSEP2 indicate the mode of operation (parallel, sequential, extended se-
quential).
Once again, PSEP2 compares very favourably to the others, especially its
parallel mode of operation. Its only disadvantage is that its non-repudiation
mechanism involves a non-standard signature scheme (PSEP2-SIG). otc

is
52
also a good choice in cases where parallelization is not important. It has
a very simple and o-veriable non-repudiation mechanism. In cases where
past recovery is required, then clearly SC-DSA+ is the best choice.
53
Chapter 7
Conclusions
7.1 Lessons Learned
Although Zheng originally set out to achieve greater eciency by combining
encryption and signature schemes, the focus has subsequently shifted to
other issues, such as security and non-repudiation. The issue of security
is of key importance, since it has implications for all systems which use
encryption and signatures together. There are many such systems in use
today, and it would be worthwhile to reconsider them in terms of the security
model for signcryption.
The security model has taught us what is perhaps the most important
lesson to be learned from signcryption, namely that simply composing two
cryptographic primitives (in this case, encryption and signature schemes)
does not necessarily result in something which satises the security prop-
erties of both. It was only after dening an appropriate security model
that we were able to pinpoint and correct the defects of the widely-used
sign-then-encrypt paradigm.
7.2 Directions for Future Research
Ultimately, one would like to have a signcryption scheme which simultane-
ously
provides IND-CCA2 and sUF-CMA security in the insider model;
has computational and communication overhead not signicantly
greater than a conventional encryption or signature scheme;
55
has key sizes not signicantly greater than a conventional encryption
or signature scheme;
allows each user to choose his key size independently;
provides a secure non-repudiation mechanism, preferably via a widely-
used signature scheme;
allows for signicant parallelization in both the signcryption and de-
signcryption steps; and
provides ecient encrypt-only and sign-only modes.
Of all the signcryption schemes presented here, none of them are able to
achieve all of these goals. PSEP2 (in its parallel mode) comes the closest, but
it is suboptimal with respect to computational overhead, and provides non-
repudiation only via its own special-purpose signature scheme. There is still
plenty of room for improvement on the way to a truly optimal signcryption
scheme.
Another area worthy of exploration is the use of the signcryption prim-
itive in cryptographic protocols. The signcryption primitive is a powerful
abstraction, since it encompasses not only condentiality and authenticity,
but also user identities (via its multi-user security denition). As mentioned
in the introduction, this has allowed for the construction of a very simple au-
thenticated key-exchange protocol. Undoubtedly there are other protocols
which could be similarly simplied using signcryption.
56
Bibliography
[1] Jee Hea An, Yevgeniy Dodis, and Tal Rabin. On the security of joint sig-
nature and encryption. In L.R. Knudsen, editor, Proc. of Eurocrypt 02,
volume 2332 of LNCS, pages 83107. Springer-Verlag, 2002. Updated
version available at: http://theory.lcs.mit.edu/

yevgen/ps/signcrypt.
ps.
[2] Joonsang Baek, Ron Steinfeld, and Yuliang Zheng. Formal proofs for
the security of signcryption. In D. Naccache and P. Paillier, editors,
Proc. of PKC 02, volume 2274 of LNCS, pages 8098. Springer-Verlag,
2002.
[3] Feng Bao and Robert H. Deng. A signcryption scheme with signature
directly veriable by public key. In H. Imai and Y. Zheng, editors, Proc.
of PKC 98, volume 1431 of LNCS, pages 5559. Springer-Verlag, 1998.
[4] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A
paradigm for designing ecient protocols. In Proc. of First ACM Con-
ference on Computer and Communications Security, pages 6273. ACM
Press, 1993.
[5] Yevgeniy Dodis, Michael J. Freedman, Stanislaw Jarecki, and Shabsi
Walsh. Optimal signcryption from any trapdoor permutation, 2004.
Cryptology ePrint Archive, Report 2004/020. http://eprint.iacr.org/
2004/020/.
[6] Hugo Krawczyk and Tal Rabin. Chameleon signatures. In Proc. of
NDSS 00, pages 143154, 2000.
[7] John Malone-Lee. Identity based signcryption, 2002. Cryptology ePrint
Archive, Report 2002/098. http://eprint.iacr.org/2002/098/.
[8] Alfred Menezes and Nigel Smart. Security of signature schemes in a
multi-user setting. In Dieter Jungnickel, Jennifer Key, and Peter Wild,
57
editors, Designs, Codes and Cryptography, volume 33, pages 261274.
Kluwer Academic Publishers, 2004.
[9] Tatsuaki Okamoto and David Pointcheval. The gap-problems: A
new class of problems for the security of cryptographic schemes. In
K. Kim, editor, Proc. of PKC 01, volume 1992 of LNCS, pages 104
118. Springer-Verlag, 2001.
[10] Pascal Paillier. A trapdoor permutation equivalent to factoring. In
H. Imai and Y. Zheng, editors, Proc. of PKC 99, volume 1560 of LNCS,
pages 219222. Springer-Verlag, 1999.
[11] H. Petersen and M. Michels. Cryptanalysis and improvement of sign-
cryption schemes. In IEE Proceedings Computers and Digital Tech-
niques, volume 145, pages 149151. 1998.
[12] Josef Pieprzyk and David Pointcheval. Parallel authentication and
public-key encryption. In R. Safavi-Naini and J. Seberry, editors, Proc.
of ACISP 03, volume 2727 of LNCS, pages 387401. Springer-Verlag,
2003.
[13] David Pointcheval and Jacques Stern. Security proofs for signature
schemes. In U. Maurer, editor, Proc. of Eurocrypt 96, volume 1070 of
LNCS, pages 387398. Springer-Verlag, 1996.
[14] Jun-Bum Shin, Kwangsu Lee, and Kyungah Shim. New DSA-veriable
signcryption schemes. In P.J. Lee and C.H. Lim, editors, Proc. of ICISC
02, volume 2587 of LNCS, pages 3547. Springer-Verlag, 2002.
[15] Yuliang Zheng. Digital signcryption or how to achieve cost(signature
& encryption) cost(signature) + cost(encryption). In B.S. Kaliski
Jr., editor, Proc. of Crypto 97, volume 1294 of LNCS, pages 165179.
Springer-Verlag, 1997.
58