Information Sciences 180 (2010) 549–559

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

Signcryption from randomness recoverable public key encryption q

Chung Ki Li, Duncan S. Wong *
Department of Computer Science, City University of Hong Kong, Hong Kong

a r t i c l e i n f o a b s t r a c t

Article history: We propose a new generic construction for signcryption and show that it is secure under
Received 30 October 2008 the security models which are comparable to the security against adaptive chosen cipher-
Received in revised form 21 October 2009 text attacks for public key encryption and the existential unforgeability against chosen
Accepted 21 October 2009
message attacks for signature. In particular, the security models also capture the notion
of insider security. The generic construction relies on the existence of a special class of effi-
cient public key encryption schemes which allow the encryption randomness to be recov-
Keywords:
ered during decryption. We also propose two efficient instantiations for the generic
Signcryption
Public Key Encryption with Randomness
construction and show that one of them has less message expansion and yields smaller
Recovery ciphertext when compared with all the existing signcryption schemes.
Public key cryptography Ó 2009 Elsevier Inc. All rights reserved.
Provable security

1. Introduction

Signcryption, introduced by Zheng [29], is a cryptographic primitive which targets to support confidentiality and unforge-
ability simultaneously but with shorter ciphertext and/or lower computational cost when compared with the traditional
method of doing signature generation and data encryption separately. For evaluating the performance gain of a signcryption
scheme, we compare it with the sign-then-encrypt paradigm [1], which is the conventional approach for providing both con-
fidentiality and unforgeability. In this paradigm, a message is first signed under a sender’s private key, and the message to-
gether with the signature are then encrypted under a receiver’s public key.
For qualifying the comparison, we define a Message Expansion Rate ðMERÞ, which is computed as the size of the ciphertext
generated by the signcryption scheme to the size of the original message. Suppose the message size is LM , signature size is LS ,
and the rate of ciphertext size to message size of the underlying encryption scheme of the sign-then-encrypt approach is
REC2M P 1. The MER of the sign-then-encrypt approach is equal to REC2M  ðLM þ LS Þ=LM .
In this paper, we propose a new approach for constructing efficient signcryption schemes. We employ a special class of
public key encryption schemes where the randomness used in the encryption process can be recovered together with the
message during the decryption process. We call such a scheme as Public Key Encryption with Randomness Recovery (PKE-RR).
PKE-RR has been used in many other places. For example, Micali used PKE-RR to construct optimistic fair exchange pro-
tocols [21]. With a PKE-RR, we construct a generic signcryption scheme as follows. First, a signature on a message m is
generated, this is followed by encrypting the message. Different from the sign-then-encrypt paradigm, during the encryp-
tion, the signature is used as the encryption randomness. This generic construction can be represented in the following
form.

q
The work was supported by a grant from the Research Grants Council of the Hong Kong Special Administrative Region, China (Project No. CityU
122107).
* Corresponding author.
E-mail addresses: travisli@cs.cityu.edu.hk (C.K. Li), duncan@cityu.edu.hk (D.S. Wong).

0020-0255/$ - see front matter Ó 2009 Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2009.10.015
550 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559

SigncryptðskA ; pkB ; mÞ ¼ EðpkB ; m; SðskA ; mÞÞ ð1Þ

where skA is sender’s private key; pkB is receiver’s public key; Eðpk; msg; coinsÞ denotes the PKE-RR encryption algorithm on
message, msg, using encryption randomness coins under public key pk; and Sðsk; msgÞ denotes the signature of msg under
private signing key sk.
During de-signcryption, due to the randomness recovery property of PKE-RR, both m and SðskA ; mÞ are recovered using
the receiver’s private key skB . The signature is then verified using the sender’s public key pkA .
Intuitively, the confidentiality of this generic signcryption scheme relies on the security of the PKE-RR while in the con-
ventional security analysis of public key encryption schemes (e.g. IND-CCA2 security [24]), the encryption randomness coins
of E is chosen uniformly at random from a certain space defined by the public key. In the signcryption scheme above, the
encryption randomness is a signature SðskA ; mÞ. This indicates that certain requirements on the distribution of the signature
is needed for ensuring the confidentiality of the signcryption scheme. In particular, for insider security [1], the signature
scheme cannot be deterministic and it should be randomized with some specific requirements on both signature space dis-
tribution and cardinality. In the later part of the paper, we will provide a formal treatment on this aspect.
The MER of this approach is equal to the REC2M of the underlying PKE-RR, which gives an improvement on the bandwidth
efficiency by the factor of ðLM þ LS Þ=LM when compared with that of the sign-then-encrypt approach. Also note that the value
REC2M is the lower bound of the MER if the public key encryption scheme is given. In other words, the ciphertext generated
using this new signcryption scheme has the same size as that created directly by encrypting the original message using
the underlying encryption scheme.
Our results. We formalize this new approach for constructing efficient signcryption schemes and show that it is secure
under the strongest security notions (Section 3) under the condition that the PKE-RR satisfies a special type of CCA2 security,
namely X-uniform CCA2 security (Definition 4), and the underlying signature is distributed uniformly (Definition 5). We also
propose two efficient instantiations of this approach. One of them achieves the least message expansion and yields the small-
est ciphertext size among all the known signcryption schemes which can achieve the same level of security.
Paper organization. In the next section, we review some previous work and focus our discussions on the techniques that
have been used for constructing signcryption schemes and the development of the security models. In Section 3, we formal-
ize the definition and the security models for signcryption. In Section 4, we propose a new generic construction of signcryp-
tion schemes and prove its security under the models we formalized in Section 3. In Sections 5 and 6, we propose two
instantiations for the generic scheme and then evaluate their performance by comparing them with the performance of some
previous schemes in Section 7. We conclude the paper in Section 8.

2. Related work

There have been many signcryption schemes proposed since its introduction by Zheng [29] in 1997. To name a few, these
schemes include [4,14,22,26,27,2,1,20,17,16]. In [2], Baek et al. defined two security models for the confidentiality and
unforgeability of signcryption. They are analogous to the corresponding indistinguishability-based semantic security against
adaptive chosen ciphertext attack and existential unforgeability against adaptive chosen message attack for public key
encryption and digital signature, respectively.
In [1], An et al. proposed the notion of insider security and showed that both of the generic sequential compositions,
namely sign-then-encrypt and encrypt-then-sign, can derive insider secure signcryption schemes. However, these composi-
tions may not have much any advantage on reducing the size of ciphertext.
Malone-Lee and Mao proposed an efficient signcryption scheme in [20]. The technique they proposed is similar to the
encoding method of OAEP [5] and RSA is used as the underlying one-way trapdoor permutation. In the scheme, message is
‘‘double wrapped” by RSA signature and encryption. The resulting signcrypted text (i.e. the ciphertext) has the same size
as that of an RSA encryption or that of an RSA signature. Moreover, it supports public verifiability [4], which is an
‘‘unwrapping” feature that allows the receiver to retrieve the sender’s signature from the signcrypted text for public
verification.
Like many other cryptographic primitives [11,18,19], signcryption also has many variants. In [10], Boyen introduced
ciphertext anonymity to signcryption under the identity-based cryptographic setting. Ciphertext anonymity requires that
the ciphertext should hide the identities of both sender and receiver. In [16], Li et al. proposed an efficient signcryption
scheme with ciphertext anonymity in the standard PKI-based setting. The security of their scheme is proven under a model
due to Libert and Quisquater [17]. The size of the signcrypted text is the smallest among all the comparable signcryption
schemes. In Section 6, we describe an instantiation of the generic signcryption scheme we propose in this paper and show
that it has an even shorter signcrypted text while providing the same level of confidentiality and unforgeability as that of
[16].

3. Definitions and security models

Definition 1. A signcryption scheme is a quadruple of probabilistic polynomial-time (PPT) algorithms SC = (KeyGen,

Signcrypt, DeSigncrypt, Verify).
 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559 551

[KeyGen:] On input 1k , where k 2 N is a security parameter, KeyGen generates a public/private key pair ðpk; skÞ. In the fol-
lowing, we use ðpkA ; skA Þ and ðpkB ; skB Þ to denote the key pairs of a sender and a receiver, respectively, and consider each
of them as being generated independently by KeyGen.
[Signcrypt:] On input skA ; pkB and message m 2 SC:MSPCðpkB Þ; Signcrypt generates a ciphertext c, where SC:MSPCðpkB Þ is
the message space defined by pkB .
[DeSigncrypt:] On input skB ; pkA and ciphertext c; DeSigncrypt outputs either a message-signature pair ðm; rÞ or a symbol ?
indicating the failure of de-signcryption.
[Verify:] On input pkA ; m and r; Verify outputs 1 (for valid) or 0 (for invalid).

Correctness. For any k 2 N; ðpkA ; skA Þ and ðpkB ; skB Þ output by KeyGen using independently generated random coins, and
m 2 SC:MSPCðpkB Þ, if c ¼ SigncryptðskA ; pkB ; mÞ, then we have ðm; rÞ ¼ DeSigncryptðskB ; pkA ; cÞ and VerifyðpkA ; m; rÞ ¼ 1.
Remark. The definition above makes the support of ‘‘unwrapping” feature compulsory for SC. First introduced by Bao and
Deng [4] as public verifiability and later has become a common requirement for signcryption schemes [20,10,17,16], the
‘‘unwrapping” feature allows the receiver to retrieve the sender’s signature from the ciphertext for public verification. If this
option is not mandatory, one can modify the definition above by removing Verify and having DeSigncrypt output m only if the
de-signcryption algorithm is carried out successfully or ? otherwise.

A signcryption scheme is secure if it is semantically secure against adaptive chosen ciphertext attack (SC-IND-CCA) and
existentially unforgeable against chosen message attack (SC-EUF-CMA). They are formalized using the games below.
Game Confidentiality. Let k 2 N be a security parameter. Let C be the game simulator and A the adversary.

1. C generates a key pair by computing ðpkU ; skU Þ KeyGenð1k Þ and then invokes A with input pkU .
2. A can make queries to the following oracles.
 Osigncrypt: On input a public key pkR (such that pkR –pkU ) and a message m 2 SC:MSPCðpkR Þ, it returns
c SigncryptðskU ; pkR ; mÞ.
 Odesigncrypt: On input a public key pkS (such that pkS –pkU ) and a ciphertext c, it returns DeSigncryptðskU ; pkS ; cÞ.
 
3. A produces two plaintexts m0 ; m1 2 SC:MSPCðpkU Þ of equal length and a private key skS such that sk
 S is in the range
 of
R 
KeyGenð1k Þ; C flips a random coin b f0; 1g and sends to A a challenge signcryption c ¼ Signcrypt skS ; pkU ; mb .
0 0
4. A continues making queries to the oracles above until it outputs a bit b . A wins the game if b ¼ b and it has never que-

ried Odesigncrypt with c .

ind-cca 0
A’s advantage is defined as Adv ðAÞ ¼ Pr½b ¼ b  12. The probability is taken over the random coin tosses of C and A,
and the random coin tosses for simulating the oracles.
Definition 2. Let k 2 N be a security parameter. A signcryption scheme SC = (KeyGen,Signcrypt,DeSigncrypt,Verify) is SC-IND-
ind-cca
CCA secure if for any PPT adversary A; Adv is negligible in k.
This definition captures the notion of insider security [1].
Game Unforgeability. Let k 2 N be a security parameter. Let C be the game simulator and F the adversary.

1. C runs ðpkU ; skU Þ KeyGenð1k Þ and then invokes F with input pkU .
2. F can make queries to Osigncrypt and Odesigncrypt as in Game Confidentiality above.
  
3. F produces a ciphertext c and   a key pair skR ; pkR , and wins the game if
(a) ðm ; r Þ
  
DeSigncrypt skR ; pkU ; c ,
(b) 1 VerifyðpkU ; m ; r Þ,
(c) F has never queried Osigncrypt with m .

Definition 3. A signcryption scheme SC = (KeyGen, Signcrypt, DeSigncrypt, Verify) is SC-EUF-CMA secure if for any PPT F, the
probability that F wins in Game Unforgeability is negligible in k.

The probability is taken over the random coin tosses of C and F, and the random coin tosses
  for simulating the oracles.

Note that we allow F to have full control over the generation of de-signcryption key pair skR ; pkR . Again, this is for cap-
turing the notion of insider security.

4. The generic construction

We now continue elaborating our idea motivated in the Introduction section and give the complete specification of the
generic signcryption scheme we are proposing in this paper.
Let PKE  RR ¼ ðKGenc ; E; DÞ be a public key encryption scheme with randomness recovery and SS ¼ ðKGsig ; S; VÞ a signa-
ture scheme. We will give their formal definitions and security models shortly. Below is the generic signcryption scheme
SC = (KeyGen, Signcrypt, DeSigncrypt, Verify).
552 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559

The Generic Signcryption Scheme

SC = (KeyGen, Signcrypt, DeSigncrypt, Verify):

e e s s e s
 KeyGenð1k Þ: Compute ðpk ; sk Þ KGenc ð1k Þ and ðpk ; sk Þ KGsig ð1k Þ and set public key pk ¼ ðpk ; pk Þ and private
e s
key sk ¼ ðsk ; sk Þ. In the following, we let ðpkA ; skA Þ and ðpkB ; skB Þ be the key pairs of a sender and a receiver
generated independently using KeyGen, respectively.
 s   e 
 SigncryptðskA ; pkB ; mÞ: Compute r ¼ S skA ; HðmÞ and return c ¼ E pkB ; m; r , where H : f0; 1g ! f0; 1gk is a
collision-resistant hash function.
 e   e 
 DeSigncryptðskB ; pkA ; cÞ: Output D skB ; c . Note that if c ¼ E pkB ; m; r , then the output of D is ðm; rÞ, where the
encryption randomness r is also recovered due to the randomness recovery property of PKE-RR.
 s 
 VerifyðpkA ; m; rÞ: Output V pkA ; m; r .

For correctness, we require the following bounds on the message and signature spaces.
 e
1. The message space SC:MSPCðpkB Þ of SC is defined as PKE:MSPC pkB which is the message space of PKE-RR.
s   s   s
2. Let SSPCðpkA ; mÞ ¼ r S skA ; m be the set of all valid signatures of message m 2 f0; 1gk . We use SSPC pkA ¼
S  s  s
m2f0;1gk
SSPC pkA ; m to denote the signature space of SS with respect to a public key pkA . We require that
 s  e s e sig enc
 e  pkA # PKE:COINS pkB for any pkA and pkB generated using KG and KG , respectively, where PKE:COINS
SSPC
pkB is the randomness space of PKE-RR.

If the key generation algorithms of the underlying encryption and signature schemes are identical, we may simplify the gen-
eric signcryption scheme by letting KeyGen run the underlying key generation algorithm once only. Then, each party will use
one single key for both signcryption as a sender and de-signcryption as a receiver, provided that this simplification does not
compromise the security of the signcryption scheme. If they do not have the identical key generation algorithm, we only
consider the encryption public key and ignore the signature verification public key when considering the public key of a
receiver; while we only consider the signing private key rather than the decryption private key when considering the private
key of the sender. This also applies to the oracles that we have defined in the two security games in Section 3.
In the following, we specify the security requirements of the primitives, PKE-RR and SS, and then show the security of the
generic signcryption scheme SC.

4.1. Public Key Encryption with Randomness Recovery (PKE-RR)

PKE-RR ¼ ðKGenc ; E; DÞ is a triple of probabilistic polynomial-time (PPT) algorithms associated with a message space
PKE.MSPC and a randomness space PKE.COINS.

 KGenc takes a security parameter 1k ðk 2 NÞ and outputs a public/private key pair ðpk; skÞ.
R
 E takes a public key pk, message m 2 PKE:MSPCðpkÞ and a randomness x PKE:COINSðpkÞ, and outputs a ciphertext
c ¼ Eðpk; m; xÞ.
 D takes a private key sk and a ciphertext c, and returns a message m and a randomness x, that is, ðm; xÞ Dðsk; cÞ or ? if
the decryption fails.

The correctness property of PKE-RR requires that for any k 2 N, if ðpk; skÞ KGenc ð1k Þ; m 2 PKE:MSPCðpkÞ and
enc
x 2 PKE:COINSðpkÞ, then ðm; xÞ Dðsk; Eðpk; m; xÞÞ. Note that since KG ; E and D are all PPT algorithms, each of them
has a randomness input. However, we only explicitly specify the randomness used in E because it is the only one that is con-
cerned in this paper.
In the generic signcryption scheme, SC, described above, the encryption randomness r is a signature. Intuitively, r should
e
be distributed uniformly over PKE:COINSðpkB Þ for reducing the SC-IND-CCA security of SC to the CCA2 security [24] of the
underlying PKE-RR. However, this is impossible because the fraction of valid signatures for any particular message over
the signature space of all the messages should be negligibly small for any EUF-CMA secure signature scheme [15]. Otherwise,
the chance of generating a successful forgery through randomly selecting an element in the signature space will become
 s
non-negligible. In other words, r cannot be uniformly-distributed over SSPC pkA (as defined in the correctness requirement
of the generic construction described in Section 4).
In this result, we propose to use an encryption scheme with a stronger security notion, which is called X-uniform CCA2
security (as defined below). Informally, this security notion requires the encryption scheme to be CCA2 secure even if the
 e
encryption randomness is chosen uniformly at random over any minimal subset of PKE:COINS pkB provided that the cardi-
nality XðkÞ of each minimal subset is large enough (for example, to be at least 2k ). Each minimal subset can be considered as a
 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559 553

collection of valid signatures of a particular message. In the security model below, we formalize this requirement using an
oracle called Oracle X. This oracle allows the adversary to specify a function which models the signature generation algo-
rithm specified in the generic signcryption scheme. It then outputs a signature-like value which will then be used by the
encryption oracle as the randomness when preparing the challenge ciphertext.
Definition 4 (X-uniform CCA2 security). Let PKE ¼ ðKGenc ; E; DÞ be a public key encryption scheme. We say that PKE is X-
uniform CCA2 secure if for any sufficiently large security parameter k 2 N, any PPT adversary A; A’s advantage in the
following 5-stage game is negligible in k. The game is modified from that of the conventional CCA2 security [24].

Stage 1. A public key pair ðpk; skÞ KGenc ð1k Þ is first generated and then A is invoked on pk.
Stage 2. A can make queries to two oracles: decryption oracle and Oracle X. For the decryption oracle, each query is a ciphertext
y and the return of the oracle is Dðsk; yÞ. For Oracle X, it takes one input which is the description of a function
f : R ! PKE:COINSðpkÞ. There are two requirements for f:
1. jf ðRÞj P XðkÞ,
2. if x is uniformly-distributed over R; f ðxÞ is uniformly-distributed over f ðRÞ.
R
On input f, Oracle X randomly picks a R and returns f ðaÞ.
Stage 3. A chooses two distinct, equal-length messages m0 and m1 arbitrarily from PKE:MSPCðpkÞ and gives them together
with two functions f0 : R0 ! PKE:COINSðpkÞ and f1 : R1 ! PKE:COINSðpkÞ to an encryption oracle. The requirements
for f0 and f1 are the same as that for f in the query of Oracle X described in Stage 2 above. The encryption oracle
chooses b 2 f0; 1g at random, and queries Oracle X with input fb . Suppose the return of Oracle X is rb . The return
of the encryption oracle is y Eðpk; mb ; rb Þ.
Stage 4. A continues querying Oracle X or submitting ciphertexts y to the decryption oracle subject to the restriction that
y–y .
Stage 5. A outputs b ^ 2 f0; 1g.

^  1=2j.
A’s advantage in this game is defined as jPr½b ¼ b
For sufficiently large k 2 N; XðkÞ should be large enough. Otherwise, it is infeasible to build a X-uniform CCA2 secure
public key encryption scheme. The following theorem says that XðkÞ cannot be any polynomial in k.
Theorem 1. For any public key encryption scheme PKE ¼ ðKGenc ; E; DÞ; PKE cannot be X-uniform CCA2 secure for any
XðkÞ ¼ polyðkÞ where polyðkÞ is a polynomial in k.

Proof. We construct a polynomial-time adversary A which has non-negligible advantage in the game of X-uniform CCA2
security.

1. After receiving a challenge public key pk; A arbitrarily picks two distinct, equal-length messages m0 and m1 from
PKE:MSPCðpkÞ and sets both f0 and f1 to a permutation function F : T ! T where T # PKE:COINSðpkÞ and
jTj ¼ polyðkÞ. A sends m0 ; m1 ; f 0 and f1 to the game simulator as in Stage 3 of Definition 4.
2. After obtaining y from the game simulator, A carries out the following test: pick an element a from T and check if
y ¼ Eðpk; mi ; aÞ for i ¼ 0; 1. If equality occurs, say when i ¼ 0, then A outputs 0 and finishes the game. Otherwise, A
picks another element from T and repeats the test using a new element.

By carrying out this exhaustive search, A can always find out the encryption randomness that is used by the encryption
oracle. Since the size of T is small (i.e. with only polyðkÞ number of distinct randomnesses), A is able to finish the search
within some polynomial-time in k. h
It is obvious that if a public key encryption scheme PKE is X-uniform CCA2 secure, then it is also CCA2 secure. However,
the reverse direction may not be true. Note that a PKE may already be secure if the probability of choosing any randomness
is at most 2k . However, this PKE may not be X-uniform CCA2 secure because not every minimal subset with cardinality XðkÞ
is uniformly-distributed. In concrete constructions described in Sections 5 and 6, we always require XðkÞ to be at least 2k .
Next, we specify the security requirement of the underlying signature scheme SS that is used in the generic signcryption
scheme SC.

4.2. Uniformly-distributed signature

A signature scheme SS ¼ ðKGsig ; S; VÞ is a triple of PPT algorithms.

 KGsig takes 1k ðk 2 NÞ and outputs a key pair ðpk; skÞ.

 S, called the signing algorithm, takes a private key sk and message m 2 f0; 1gk , produces a signature r ¼ Sðsk; mÞ.
 V, called the verification algorithm, takes a public key pk, a message m and a signature r, returns 1=0 ¼ Vðpk; m; rÞ.

Correctness: for any k 2 N, if ðpk; skÞ KGsig ð1k Þ and m 2 f0; 1gk , then 1 ¼ Vðpk; m; Sðsk; mÞÞ.
554 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559

On the security of SS, we require that SS should be both EUF-CMA (existentially unforgeable against adaptive chosen mes-
sage attacks) [15] and uniformly-distributed (as defined below in Definition 5). EUF-CMA can be defined by a game of three
stages. In Stage 1, ðpk; skÞ KGsig is carried out and adversary F is then invoked with input pk. In Stage 2, F may query a
signing oracle by sending it a message m. The return of the oracle is a signature Sðsk; mÞ. In Stage 3, F outputs a message-
signature pair ðm ; r Þ as a forgery. F wins the game if 1 Vðpk; m ; r Þ and m –m for all the messages m which have been
queried to the signing oracle. SS is EUF-CMA if for any PPT F, the probability of winning the game is negligible in k.
Definition 5 (uniformly-distributed signature). Let SS ¼ ðKGsig ; S; VÞ be a signature scheme. Given k 2 N; ðpk; skÞ
KGsig ð1k Þ and m 2 f0; 1gk , define
SSPCðpk; mÞ ¼ fr Sðsk; mÞg
to be the set of all valid signatures of m generated using S under sk. We say that SS is uniformly-distributed if for any k 2 N,
any ðpk; skÞ KGsig ð1k Þ and m 2 f0; 1gk , we have signature r Sðsk; mÞ distributed uniformly over SSPCðpk; mÞ if the ran-
domness used by S is chosen uniformly at random over the randomness space of S defined under sk.
The following definition provides a link between the minimum size of SSPC of signature scheme SS among all the mes-
sages and the value of XðkÞ of a X-uniform CCA2 secure public key encryption scheme with randomness recovery PKE-RR
that are used in the generic signcryption scheme described in Section 4.
Definition 6 (minimum signature sub-space). Let SS ¼ ðKGsig ; S; VÞ be a signature scheme. Given ðpk; skÞ KGsig ð1k Þ
 
where k 2 N, the minimum signature sub-space minSSPCðpkÞ is defined as SSPCðpk; m Þ of some message m such that
jSSPCðpk; m Þj is no greater than jSSPCðpk; mÞj for all m 2 f0; 1gk .
minSSPC is called the minimum signature sub-space rather than the minimum signature space. This is because minSSPC is
the collection of all valid signatures of a particular message only, and is just a subset/sub-space of the signature space that we
defined in Section 4. Note that a deterministic signature scheme also satisfies the definition of a uniformly-distributed sig-
nature scheme with jminSSPCðpkÞj ¼ 1. However, this is not the signature scheme we want as the resulting signcryption
scheme could not be secure. In the next section, we will see that the signature scheme has to be probabilistic and we suggest
jminSSPCðpkÞj to be 2k .

4.3. Security analysis

Theorem 2. The signcryption scheme SC = (KeyGen, Signcrypt, DeSigncrypt, Verify) described in Section 4 is SC-IND-CCA secure
(Definition 2) if for sufficiently large security parameter k 2 N, PKE-RR is X-uniform CCA2 secure (Definition 4) and SS is
uniformly-distributed (Definition 5), where jminSSPCðpkÞj P XðkÞ for all pk generated by KGsig ð1k Þ.

Proof. For contradiction, we construct an algorithm B to compromise the X-uniform CCA2 security of PKE-RR if there exists
an algorithm A which can compromise the SC-IND-CCA security of SC.

Let k 2 N be a security parameter. Suppose that B is given a challenge public key pk by the simulator in the X-uniform
 s s 
CCA2 security game for PKE-RR. B simulates the Game Confidentiality of SC as follows. B first invokes pkU ; skU KGsig ð1k Þ
  s   s 
and sets the public key pkU :¼ pk ; pkU and private key skU :¼ ; skU . Then B invokes A with input pkU .
For the signcryption oracle Osigncrypt and de-signcryption oracle Odesigncrypt, B simulates them as follows. On input a
 e s e   e
public key pkR :¼ pkR ; pkR and a message m; B checks if pkR –pk and m 2 PKE:MSPC pkR . If any of the checks is not passed,
B returns a failure signal back to A indicating that the query does not follow the specification of Osigncrypt defined in Game
 e s 
Confidentiality. If all the checks are passed, B returns c E pkR ; m; SðskU ; HðmÞÞ . For Odesigncrypt, the inputs are public key
 e s s s
pkS :¼ pkS ; pkS and ciphertext c. If pkS –pkU ; B queries the decryption oracle of the X-uniform CCA2 security game and
returns what it obtains from the decryption oracle.

In Stage 3 of Game Confidentiality, after receiving two equal-length messages m0 ; m1 and a private signing key skS from
  sig k
A; B checks if m0 ; m1 2 PKE:MSPCðpk Þ and sk
 S is in the range of private
  keys generated by KG ð1 Þ. If so, B constructs
two functions f0 and f1 by setting f0 ðÞ :¼ S skS ; m0 ;  and f1 ðÞ :¼ S skS ; m1 ;  . In other words, the domains R0 and R1 of f0

and f1 , respectively, are the randomness spaces of the signature scheme SS defined under the corresponding public key of skS .
Then according to the security game specified in Definition 4, B sends m0 ; m1 ; f 0 and f1 to the encryption oracle of the X-
uniform CCA2 security game. Suppose that the return of encryption oracle is y . B sets and returns the challenge signcryption
c :¼ y .
In Stage 4, B continue simulating the Osigncrypt and Odesigncrypt oracles as above. At the end of the simulation, B outputs
whatever A outputs.
The simulation above does not have any case that it would fail provided that A follows the specification of Game
Confidentiality. To see that the simulation is perfect, namely, the environment simulated by B is exactly the same as the actual
environment of Game Confidentiality, we discuss the following components one by one.

s
1. Oracle Osigncrypt is simulated perfectly as B owns the private signing key skU .
 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559 555

2. Oracle Odesigncrypt is also perfectly simulated as any valid querying ciphertext c must be a valid ciphertext of PKE-RR. The
 
decryption oracle of the X-uniform CCA2 security game for PKE-RR will return Dðsk ; cÞ where sk is the private key corre-

sponding to pk .

3. On preparing the challenge ciphertext c , since f0 and f1 are the signature generation algorithm pre-initialized with skS

and m0 =m1 , respectively, the outputs of f0 and f1 are valid signatures of m0 and m1 , respectively, under skS . Hence the out-
put y of encryption oracle described in Stage 3 above is generated exactly in the same way as the generation of c in a real
simulation.
4. To see that the generation of y by the encryption oracle of the X-uniform CCA2 security game also satisfies Definition 4 (in
particular Stage 3 of the game described in Definition 4), we first notice that the signature sub-spaces due to f0 and f1
  
must be at least the size of minSSPCðpkS Þ where pkS is the corresponding public key of skS . According to one of the con-
ditions stated in the theorem above, these signature sub-spaces are having at least the size of XðkÞ. In addition, the
encryption randomness for generating y is chosen uniformly at random from one of these two signature sub-spaces
because SS is uniformly-distributed (Definition 5). Therefore, the generation of y also satisfies Definition 4.

Summarizing all the statements above, we can see that the simulation is perfect. As B outputs whatever A outputs, if A
compromises SC-IND-CCA security of SC; B compromises X-uniform CCA2 security of PKE-RR. h

Remark. According to Theorem 1, XðkÞ has to be greater than all polyðkÞ. As a result of Theorem 2, we should also set
jminSSPCðpkÞj to be greater than all polyðkÞ due to the requirement that jminSSPCðpkÞj P XðkÞ. In the concrete constructions
described in Sections 5 and 6, we set jminSSPCðpkÞj to be at least 2k .

Theorem 3. The signcryption scheme SC = (KeyGen, Signcrypt, DeSigncrypt, Verify) described in Section 4 is SC-EUF-CMA secure if
SS is EUF-CMA secure [15].

Proof. If there exists a forger F which wins in Game Unforgeability defined in Section 3, we construct an adversary C which
compromises EUF-CMA of SS.

In Stage 1 of the EUF-CMA game (reviewed in Section 4.2), C receives a public key pk from the EUF-CMA game simulator.
 e e
After receiving pk ; C starts simulating Game Unforgeability by first invoking ðpkU ; skU Þ KGenc ð1k Þ and then invoking F
 e 
with input pkU where pkU is set to pkU ; pk .

When F makes a query to Osigncrypt with input pkR , such that pkR –pk , and another input m 2 SC:MSPCðpkR Þ; C queries
the signing oracle of the EUF-CMA game with HðmÞ. Suppose the answer of the signing oracle is r. C then generates the
return of Osigncrypt as EðpkR ; m; rÞ.

 When
e  F makes a query to Odesigncrypt with input pkS , such that pkS –pk , and another input c as a ciphertext, C returns
D skU ; c .

  
At the end of the simulation, when F produces   a ciphertext
 c , a key pair skR ; pkR , and halts, C checks if F wins the
game by testing if the output of DeSigncrypt skR ; pk ; c (i.e. D skR ; c ) is a pair ðm ; r Þ; m has never been queried to
 
 
Osigncrypt and 1 Verifyðpk ; m ; r Þ (i.e. 1 Vðpk ; m ; r Þ). If all the checks are correct, C outputs ðm ; r Þ and halts.
The simulation above does not fail provided that F follows the specification of Game Unforgeability. Similar to the
discussions in the proof of Theorem 2, the simulation is perfect, namely, oracles Osigncrypt and Odesigncrypt are simulated
exactly in the same way as a real simulation. If F wins in Game Unforgeability, then the message-signature pair ðm ; r Þ
 
encrypted in c under pkR is a valid message-signature pair under the signature verification key pk , according to
winning condition 2 of Game Unforgeability. Therefore, whenever F wins in Game Unforgeability, C wins in the EUF-CMA
game. h

In the following sections, we propose two concrete constructions that instantiate the generic signcryption scheme
efficiently.

5. Concrete construction 1

To instantiate the generic signcryption scheme, SC, described above, we need to have a public key encryption scheme
with randomness recovery PKE-RR. One suite of candidates is the OAEP [5] and its variants, such as OAEP+ [25], SAEP
and SAEP+ [8] and three-round OAEP [23]. In this concrete construction, we choose OAEP+ as it does not have the proofing
concern that was found in OAEP [25] while being more efficient than SAEP or SAEP+.
Another potential candidate for PKE-RR is the Fujisaki–Okamoto generic transformation method which converts any
weakly secure public key encryption scheme to a CCA2 secure scheme [13]. The transformation is basically a hybrid encryp-
tion which employs both asymmetric and symmetric encryption. When the message is large in size, we can see that the rate
of ciphertext size to message size REC2M (introduced in the Introduction section) could be very close to 1. However, this advan-
tage diminishes rapidly when the message is small, for example, when the message is a 128-bit session key. In the following,
we start with a brief review of Shoup’s OAEP+ [25] with some notations changed from that in [25] for matching the notations
used in this paper.
556 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559

Let k; ‘ 2 N be security parameters. Let F be a one-way trapdoor permutation with ‘-bit output. The scheme has three
other parameters n; k0 and k1 , such that n þ k0 þ k1 ¼ ‘ and all of them are no less than k. Let G : f0; 1gk0 ! f0; 1gn ;
H : f0; 1gnþk1 ! f0; 1gk0 and H0 : f0; 1gnþk0 ! f0; 1gk1 be hash functions.
R
Given a message m 2 f0; 1gn , the encryption algorithm picks uniformly at random r f0; 1gk0 and computes the cipher-
0
text c as c ¼ FðsktÞ, where s ¼ GðrÞ  mkH ðrkmÞ and t ¼ HðsÞ  r.
For decryption, the message m can be recovered from the ciphertext c by carrying out the following decryption steps.

1. skt ¼ F 1 ðcÞ,
2. r ¼ t  HðsÞ,
3. m ¼ GðrÞ  s½0    n  1,
4. If s½n . . . n þ k1  1 ¼ H0 ðrkmÞ, output m; otherwise, output ?.

OAEP+ satisfies the definition of PKE-RR (Section 4.1) as the encryption randomness r can also be recovered during decryp-
tion. We will delay the discussions of its security with respect to X-uniform CCA2 security (Definition 4) after the description
of the signature scheme used in this concrete construction.
To fit into the randomness space of OAEP+ while satisfying the requirement of the signature scheme stated in Theorem 2
(i.e. uniformly-distributed signature defined in Definition 5), we employ the Boneh–Boyen short signature [9] as the instan-
tiation of SS. The scheme is reviewed as follows.1
Let G1 ; G2 ; GT be groups of large prime order p P 2k þ 2; e : G1  G2 ! GT a bilinear pairing and h : f0; 1g ! Z p a hash
function. To generate a key pair ðpk; skÞ, random generators g 1 2 G1 and g 2 2 G2 are first generated. Then, two random num-
bers x; y 2 Z p are chosen. This is followed by computing u g x2 ; v g y2 and z eðg 1 ; g 2 Þ. sk is set to ðg 1 ; x; yÞ and pk is set to
ðg 2 ; u; v ; zÞ. n o
1=ðxþhðmÞþyaÞ
To sign a message m 2 f0; 1g , a random number a 2 Z p n  xþhðmÞ y
is selected and then r0 g1 is computed.
The signature is ða; r0 Þ. This signature can be verified by checking if the following equation holds:
hðmÞ
eðr0 ; u  g 2  v aÞ ¼ z
s
For satisfying the correctness requirement (page 6), in this concrete construction, we require that SSPCðpkA Þ #
e s e s
PKE:COINSðpkB Þ for all pkA and pkB generated using KGsig and KGenc , respectively, where SSPC pkA ¼ Z p  G1 and
 e
PKE:COINS pkB ¼ f0; 1gk0 . Without loss of generality, we assume that elements in Z p and G1 can always be uniquely repre-
sented using some binary strings. Let C 1 and C 2 be the encoding methods which represent elements in Z p and G1 as binary
strings, respectively. The correctness requirement mandates that C 1 ðaÞkC 2 ðr0 Þ # f0; 1gk0 for any a 2 Z p and r0 2 G1 . In prac-
tice, suppose the gT pairing on an elliptic curve group over GFð397 Þ, with prime order ð397 þ 349 þ 1Þ=7 is used [7], C 1 ðpÞ could
be 152 bits long and C 2 ðr0Þ is 195 bits long (using two bits to represent one digit of an element in GFð397 Þ), we may set k0 to
347.
We now discuss the security of the OAEP+ and Boneh–Boyen short signature with respect to the security requirements
stated in Theorems 2 and 3.
As described in Section 4, we set the message space of the SS to f0; 1gk . For any two messages m1 ; m2 2 f0; 1gk , we have
 s   s 
jSSPC pkA ; m1 j ¼ jSSPC pkA ; m2 j ¼ p  1
s  s
and this is true for all pkA generated by KGsig of the Boneh–Boyen signature scheme. We therefore set minSSPC pkA to
 s  k  s
SSPC pkA ; m for some arbitrarily chosen message m 2 f0; 1g . For ensuring that jminSSPC pkA j P XðkÞ, we set XðkÞ ¼ 2k .
For OAEP+, the message space PKE:MSPCOAEPþ ðf Þ is f0; 1gn and the randomness space PKE:COINSOAEPþ ðf Þ is f0; 1gk0 . In [25],
Shoup showed that OAEP+ is CCA2 secure [24] in the random oracle model [6]. According to Theorem 2, we need to show
that OAEP+ is also X-uniform CCA2 secure (Definition 4) where XðkÞ ¼ 2k .
Theorem 4. OAEP+ is X-uniform CCA2 secure (Definition 4) where XðkÞ ¼ 2k .
The proof follows almost exactly that in [25, Theorem 3]. The only exception is that all the arguments originally referring
to k0 should be changed to refer to k. Let qG ; qH and qH0 bound the number of queries made by the CCA2 adversary to the
oracles G; H, and H0 respectively, and let qD bound the number of decryption oracle queries. The advantage of the adversary
on winning the CCA2 game can therefore be obtained based on Eq. (22) in the proof of [25, Theorem 3]. Let S0 be the event
^ in the CCA2 game, we have
that b ¼ b

jPr½S0   1=2j 6 Inv Adv ðA0 Þ þ ðqH0 þ qD Þ=2k1 þ ðqD þ 1ÞqG =2k
where Inv Adv ðA0 Þ is the success probability that a particular adversary A0 has in breaking the one-way trapdoor permuta-
tion f.
Theorem 5. Boneh–Boyen short signature is a uniformly-distributed signature scheme (Definition 5).

1
Besides using the Boneh–Boyen short signature, Zhang et al.’s short signature [28] is also a feasible choice.
 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559 557

Proof. For any public key pk ¼ ðg 2 ; u; v ; zÞ and private key sk ¼ ðg 1 ; x; yÞ generated, and for any message m 2 f0; 1gk ;
n n o o
1=ðxþhðmÞþyaÞ
SSPCðpk; mÞ ¼ ða; r0 Þ : a 2 Zp n  xþhðmÞ
y
; r0 ¼ g 1 . The randomness used in the signature generation is a which
n o
xþhðmÞ
is chosen uniformly at random over Zp n  y . As the second part r0 of each signature is uniquely determined by the
first part a, the signature generated is also uniformly distributed over SSPCðpk; mÞ. h

6. Concrete construction 2

We now propose another instantiation of the generic signcryption scheme described in Section 4. Compared with the first
instantiation, this one has better MER (Message Expansion Rate) which will be discussed in detail in the next section. In this
instantiation, we employ the Fujisaki and Okamoto’s hybrid encryption [13], which satisfies the definition of PKE-RR. The
hybrid encryption is CCA2 secure under the random oracle model. The underlying public key encryption scheme of this hy-
brid encryption only needs to be secure in a very weak sense, that is, an adversary cannot entirely decrypt the encryption of a
random plaintext. The underlying symmetric key encryption scheme only needs to be semantically secure against chosen
plaintext attack. By making use of the hybrid encryption, we build another instantiation of the generic signcryption scheme.
Below is a review of the Fujisaki–Okamoto hybrid encryption.
Let Psym ¼ ðEsym ; Dsym Þ be a symmetric key encryption scheme. Given a symmetric key s 2 f0; 1gk , encrypting a message
m 2 Psym :MSPCðkÞ using Psym is performed by computing c Esym ðs; mÞ; and decrypting a ciphertext is performed as
m Dsym ðs; cÞ. Let Pasy ¼ ðKGasy ; Easy ; Dasy Þ be a public key encryption scheme (do not need to support randomness recov-
ery). Let G0 : f0; 1g ! f0; 1gk and H0 : f0; 1g ! Pasy :COINSðkÞ be two hash functions, where Pasy :COINSðkÞ is the randomness
space of Easy . This requires that the randomness space is determined by the security parameter k. The public/private key pair
R
ðpk; skÞ is generated by running KGasy ð1k Þ. To encrypt a message m 2 Psym :MSPCðkÞ; r Pasy :MSPCðpkÞ is randomly chosen
and the following is computed
c ¼ Easy ðpk; r; H0 ðr; mÞÞkEsym ðG0 ðrÞ; mÞ
For decryption, c is first separated into c1 kc2 , then r Dasy ðsk; c1 Þ and m Dsym ðG0 ðrÞ; c2 Þ are computed, and m is output if
asy 0
c1 ¼ E ðpk; r; H ðr; mÞÞ.
To support randomness recovery, we change the hybrid encryption above by returning r as well together with m. Note
that Pasy :MSPC is the randomness space of the Fujisaki–Okamoto hybrid encryption scheme.
Theorem 6. Fujisaki–Okamoto hybrid encryption is X-uniform CCA2 secure (Definition 4) where XðkÞ ¼ 2k under the condition
that jPasy :MSPCðpkÞj P 2k for all pk generated by KGasy ð1k Þ.

About the signature scheme, we continue using the Boneh–Boyen short signature
 sin
 this instantiation.
 e  For satisfying the
s e
correctness requirement of the generic signcryption scheme, we require that SSPC pkA # Pasy :MSPC pkB for all pkA and pkB
sig asy
generated by KG and KG , respectively. Theorem 5 states that Boneh–Boyen short signature scheme is a uniformly-dis-
tributed signature scheme.

7. Performance and security comparison

Table 1 shows the performance of the two concrete constructions and that of several other PKI-based signcryption
schemes. In the table, LC denotes the length of signcrypted text (i.e. the ciphertext in number of bits) and LS denotes the
length of the ‘‘unwrapped” signature from a signcrypted text. These values are obtained by assuming that the length of
an RSA public modulus is 1024 bits, the ECC group size is of 163 bits long, the basic element of the bilinear pairing operation
is in an elliptic curve group over GFð397 Þ where the order of the group is ð397 þ 349 þ 1Þ=7, that is 152 bits long (and is one of
the most efficient implementations of bilinear pairing to date [7]), each bilinear group element requires 195 bits to represent,
and the output length of hash functions is 256 bits (the output length of a keyed hash function is also considered as that of a
conventional hash function).

Table 1
Performance comparison.

Scheme LC LS MER Complexity ECSM, EXP, BP Security

Zheng [29]/w ECC 547 – 4.27 6, 0, 0 OC [3], IU [3], –
Bao and Deng [4]/w ECC 547 419 4.27 7, 0, 0 OCa, IUa, P
TBOS [20] 1024 1024 8 0, 4, 0 ICa, IUa, P
LYWDC [16] 713 780 5.57 4, 0, 2 IC, IU, P
CC1 (Section 5) 1024 347 8 3, 2, 1 IC, IU, P
CC2b (Section 6) 638 347 4.98 6, 0, 1 IC, IU, P
a
The paper did not give a proof on the properties but they are commonly believed to support.
b
Assume that ElGamal encryption scheme under ECC is used as the underlying public key encryption scheme Pasy .
558 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559

The computational complexity is shown under the column named Complexity in the table. Here, we only consider those
expensive cryptographic operations, such as elliptic curve scalar multiplication – ECSM, modular exponentiation – EXP (e.g.
RSA) and bilinear pairing – BP.
As signcryption schemes are generally used as a secure and authenticated way for transferring session keys, we consider
the length of a secure session key to be 128 bits and take this value as the message length in the performance evaluation. The
column Security in Table 1 illustrates the security level that each scheme is known to have achieved. O denotes outsider
security; I denotes insider security, C denotes confidentiality, U denotes unforgeability, and P denotes public verifiability
(i.e. the ‘‘wrapping feature” discussed in Section 3).
Most of the recently proposed signcryption schemes support public verifiability, but early schemes such as [29] do not.
Among the schemes which achieve stronger security levels, namely satisfying IC, IU and P simultaneously, the second con-
crete construction (CC2) gives the lowest Message Expansion Rate (MER) which results in having the shortest length of the
signcrypted text (i.e. LC ) as well.
On the computational complexity, the two concrete constructions also compare favorably with existing schemes. For
example, for CC2, it requires three ECSMs but no BP for signcryption; and three ECSMs and one BP for de-signcryption. As
one BP operation is generally several times slower than one ECSM, we can see that CC2 also yields the best performance
in speed among all the schemes in Table 1 which satisfy the highest level of security.
All the schemes that we have compared with in the above are restricted to the conventional public key setting. It is worth
mentioning that there are some highly efficient signcryption schemes in other cryptographic settings, for example, the iden-
tity-based setting [10,12]. For Boyen’s scheme [10], the MER can reach 5 (assuming that an identity is 128 bits long). How-
ever, both signcryption and de-signcryption are expensive, requiring 4 ECSMs and one BP for signcryption; and two ECSM
and 4 BPs for de-signcryption. For Chow et al.’s scheme [12], the MER is 3.8. However, signcryption requires two ECSMs
and two BPs; and de-signcryption requires one ECSM and four BPs.

8. Conclusion

We proposed a new generic construction for signcryption schemes and showed that it achieves SC-IND-CCA and SC-EUF-
CMA, if the underlying PKE-RR is X-uniform CCA2 secure (Definition 4) and the signature scheme is uniformly-distributed
(Definition 5). Both of the security models have the notion of insider security captured. From the two instantiations de-
scribed in Sections 5 and 6, we can see that there exist some efficient primitives which can be used for building very efficient
concrete constructions. The generic signcryption scheme was shown secure without random oracle while both of the con-
crete constructions are based on PKE-RRs which are secure in the random oracle model. One question that remains open is to
construct an efficient instantiation which does not relying on random oracles.

Acknowledgements

We would like to thank all the anonymous reviewers for their valuable comments.

References

[1] J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in: Proc. EUROCRYPT 2002, LNCS, vol. 2332, Springer, 2002, pp. 83–107.
[2] J. Baek, R. Steinfeld, Y. Zheng, Formal proofs for the security of signcryption, in: Public Key Cryptography 2002, LNCS, vol. 2274, Springer-Verlag, 2002,
pp. 80–98.
[3] J. Baek, R. Steinfeld, Y. Zheng, Formal proofs for the security of signcryption, J. Cryptol. 20 (2) (2007) 203–235.
[4] F. Bao, R.H. Deng, A signcryption scheme with signature directly verifiable by public key, in: Public Key Cryptography 1998, LNCS, vol. 1431, Springer,
1998, pp. 55–59.
[5] M. Bellare, P. Rogaway, Optimal asymmetric encryption, in: Proc. EUROCRYPT 94, LNCS, vol. 950, Springer, 1995, pp. 92–111.
[6] M. Bellare, P. Rogaway, The exact security of digital signatures – how to sign with RSA and RABIN, in: Proc. EUROCRYPT 96, 1996, pp. 399–416.
[7] J.-L. Beuchat, M. Shirase, T. Takagi, E. Okamoto, An algorithm for the gt pairing calculation in characteristic three and its hardware implementation, in:
Proc. of the 18th IEEE Symposium on Computer Arithmetic, IEEE Computer Society, 2007, pp. 97–104.
[8] D. Boneh, Simplified OAEP for the RSA and Rabin functions, in: Proc. CRYPTO 2001, LNCS, vol. 2139, Springer, 2001, pp. 275–291.
[9] D. Boneh, X. Boyen, Short signature without random oracle and the SDH assumption in bilinear groups, in: Proc. EUROCRYPT 2004, LNCS, vol. 3027,
Springer, 2004, pp. 56–73.
[10] X. Boyen, Multipurpose identity-based signcryption: a swiss army knife for identity-based cryptography, in: Proc. CRYPTO 2003, LNCS, vol. 2729,
Springer, 2003, pp. 383–399.
[11] X. Chen, F. Zhang, H. Tian, B. Wei, W. Susilo, Y. Mu, H. Lee, K. Kim, Efficient generic on-line/off-line (threshold) signatures without key exposure, Inform.
Sci. 178 (21) (2008) 4192–4203.
[12] S. Chow, S. Yiu, L. Hui, K. Chow, Efficient forward and provably secure id-based signcryption scheme with public verifiability and public ciphertext
authenticity, in: Information Security and Cryptology – ICISC 2003, LNCS, vol. 2971, Springer, 2003, pp. 352–369.
[13] E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in: Proc. CRYPTO 99, LNCS, vol. 1666, Springer, 1999, pp.
537–554.
[14] C. Gamage, J. Leiwo, Y. Zheng, Encrypted message authentication by firewalls, in: Public Key Cryptography 1999, LNCS, vol. 1560, Springer, 1999, pp.
69–81.
[15] S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attack, SIAM J. Comput. 17 (2) (1988) 281–308.
[16] C.K. Li, G. Yang, D.S. Wong, X. Deng, S.S. Chow, An efficient signcryption scheme with key privacy, in: Proc. of the Fourth European PKI Workshop
(EuroPKI 2007), LNCS, vol. 4582, Springer-Verlag, 2007, pp. 78–93.
[17] B. Libert, J.-J. Quisquater, Efficient signcryption with key privacy from gap Diffie–Hellman groups, in: Public Key Cryptography 2004, LNCS, vol. 2947,
Springer, 2004, pp. 187–200.
 C.K. Li, D.S. Wong / Information Sciences 180 (2010) 549–559 559

[18] R.W.C. Lui, L.C. Hui, S. Yiu, Delegation with supervision, Inform. Sci. 177 (19) (2007) 4014–4030.
[19] J. Lv, K. Ren, X. Chen, K. Kim, The ring authenticated encryption scheme – how to provide a clue wisely, Inform. Sci. 179 (1–2) (2009) 161–168.
[20] J. Malone-Lee, W. Mao, Two birds one stone: signcryption using RSA, in: Topics in Cryptology – Proc. of CT-RSA 2003, LNCS, vol. 2612, Springer, 2003,
pp. 211–225.
[21] S. Micali, Simple and fast optimistic protocols for fair electronic exchange, in: ACM Symposium on Principles of Distributed Computing, PODC 2003,
ACM, 2003, pp. 12–19.
[22] Y. Mu, V. Varadharajan, Distributed signcryption, in: INDOCRYPT 2000, LNCS, vol. 1977, Springer, 2000, pp. 155–164.
[23] D.H. Phan, D. Pointcheval, Chosen-ciphertext security without redundancy, in: Proc. ASIACRYPT 2003, LNCS, vol. 2894, Springer, 2003, pp. 1–18.
[24] C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in: Proc. CRYPTO 91, LNCS, vol. 576, Springer,
1992, pp. 433–444.
[25] V. Shoup, OAEP reconsidered, in: Proc. CRYPTO 2001, LNCS, vol. 2139, Springer, 2001, pp. 239–259.
[26] R. Steinfeld, Y. Zheng, A signcryption scheme based on integer factorization, in: ISW’00, LNCS, vol. 1975, Springer, 2000, pp. 308–322.
[27] D.H. Yum, P.J. Lee, New signcryption schemes based on KCDSA, in: Information Security and Cryptology – ICISC 2001, LNCS, vol. 2288, Springer, 2002,
pp. 305–317.
[28] F. Zhang, X. Chen, W. Susilo, Y. Mu, A new signature scheme without random oracles from bilinear pairing, in: Proc. Progress in Cryptology –
VIETCRYPT 2006, LNCS, vol. 4341, Springer, 2006, pp. 67–80.
[29] Y. Zheng, Digital signcryption or how to achieve cost(signature & encryption) cost(signature) + cost(encryption), in: Proc. CRYPTO 97, LNCS, vol.
1294, Springer, 1997, pp. 165–179.