ETH Zürich » Computer Science » Theory » Cryptography

Publications: Abstract

An Application-Centric Analysis of Signcryption and the Importance of Insider Security

Christian Badertscher, Fabio Banfi, and Ueli Maurer

Signcryption is a public-key cryptographic primitive, originally introduced by Zheng (Crypto '97), that allows parties to establish secure communication without the need of prior key agreement. Instead, a party registers its public key at a certificate authority (CA), and only needs to retrieve the public key of the intended partner from the CA before being able to protect the communication. As suggested by the name, signcryption schemes provide both authenticity and confidentiality of sent messages and are motivated like their symmetric-key counterparts, i.e., authenticated-encryption schemes: better achievable performance compared to generic compositions of signature and encryption schemes, and a simpler interface to applications.

Although introduced two decades ago, the question which security notions of signcryption are adequate in what applications has still not reached a fully satisfying answer, even for the basic ones. In this work, we conduct a detailed application-centric and composable analysis of standard signcryption security to address this question. We identify the natural goal that signcryption schemes should achieve as a gracefully-degrading secure network, which is basically a network of independent parties that allows secure communication between any two parties. However, when a party is compromised, its respective security guarantees are lost, while all guarantees for the remaining users stay unaffected. We show which security notions are sufficient to realize this kind of secure network from a certificate authority (or key registration resource) and insecure communication. In particular, we identify which of the existing variants of the insider security notion is adequate to achieve this.

Our study further unveils that the graceful-degradation property is actually an essential feature of signcryption that separates it from alternative and more natural constructions that achieve a secure network from the same assumptions. This shows the vital importance of the insider security notion for signcryption and strongly supports, in contrast to the initial belief, the recent trend to consider the insider security notion as the standard notion for signcryption.