Abstract
We introduce a new cryptographic primitive, called Completely Anonymous Signed Encryption (CASE). CASE is a public-key authenticated encryption primitive, that offers anonymity for senders as well as receivers. A “case-packet” should appear, without a (decryption) key for opening it, to be a blackbox that reveals no information at all about its contents. To decase a case-packet fully–so that the message is retrieved and authenticated–a verification key is also required.
Defining security for this primitive is subtle. We present a relatively simple Chosen Objects Attack (COA) security definition. Validating this definition, we show that it implies a comprehensive indistinguishability-preservation definition in the real-ideal paradigm. To obtain the latter definition, we extend the Cryptographic Agents framework of [2, 3] to allow maliciously created objects.
We also provide a novel and practical construction for COA-secure CASE under standard assumptions in public-key cryptography, and in the standard model.
We believe CASE can be a staple in future cryptographic libraries, thanks to its robust security guarantees and efficient instantiations based on standard assumptions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For simplicity, we consider a finite message space. If messages of arbitrary length are to be allowed, we will let a case-packet reveal the length of the message (possibly after padding). All our definitions and results can be readily generalized to this setting.
- 2.
These distinct experiments can be combined to give an equivalent unified experiment in which the adversary is allowed to adaptively attack any of the above security properties over a collection of keys and case-packets. Such a definition is presented as an intermediate step to showing the comprehensiveness of this definition (see below).
- 3.
We note that, CCA-QD security is not implied by CCA security and the QD structure alone. E.g., one can modify a CCA-QD secure PKE scheme such that, if the encoding of the randomness (the pre-computed component of the ciphertext) happens to equal the message, it simply sets the second component to \(\bot \), thereby revealing the message; while this remains CCA secure, an adversary in the CCA-QD game can set one of the challenge messages to be equal to the encoding of the randomness and break CCA-QD security.
- 4.
So that, it is statistical indistinguishability in the ideal model that is required to be preserved as computational indistinguishability in the real model.
- 5.
To facilitate keeping track of the arguments being made, we describe the corresponding hybrids from Sect. 6. The goal is to show \(\textsf{H}_{0} \approx \textsf{H}_{7} \), for hybrids corresponding to real executions with \(b=0\) and \(b=1\) respectively.
- 6.
This corresponds to \(\textsf{H}_{0} \approx \textsf{H}_{1} \) (with \(b=0\)) and \(\textsf{H}_{6} \approx \textsf{H}_{7} \) (with \(b=1\)).
- 7.
This corresponds to showing that if \(\textsf{H}_{2} \approx \textsf{H}_{5} \), then \(\textsf{H}_{1} \approx \textsf{H}_{2} \) and \(\textsf{H}_{5} \approx \textsf{H}_{6} \).
- 8.
This shows \(\textsf{H}_{2} \approx \textsf{H}_{3} \) and \(\textsf{H}_{4} \approx \textsf{H}_{5} \).
- 9.
That is, \(\textsf{H}_{3} \approx \textsf{H}_{4} \).
- 10.
If a handle appears more than once among \( {h} _1,\ldots , {h} _t\), it is interpreted as separate agents with the same configuration (but possibly different inputs). In our use-case of CASE, this scenario is not relevant.
References
Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D., (ed.) TCC (2010)
Agrawal, S., Agrawal, S., Prabhakaran, M.: Cryptographic agents: towards a unified theory of computing on encrypted data. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 501–531. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_17
Agrawal, S., Prabhakaran, M., Yu, C.-H.: Virtual grey-boxes beyond obfuscation: a statistical security notion for cryptographic agents. In: TCC 2016-B (2016)
Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B., Riepel, D.: Analysing the HPKE standard. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 87–116. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_4
An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_6
An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_6
Badertscher, C., Banfi, F., Maurer, U.: A constructive perspective on signcryption security. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 102–120. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_6
Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 80–98. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_6
Barbosa, M., Farshim, P.: Certificateless signcryption. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 369–372 (2008)
Bellare, M., Hofheinz, D., Kiltz, E.: Subtleties in the definition of IND-CCA: when and how should challenge decryption be disallowed? J. Cryptol. 28(1), 29–48 (2015). https://doi.org/10.1007/s00145-013-9167-4
Bellare, M., Stepanovs, I.: Security under message-derived keys: Signcryption in iMessage. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 507–537. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_17
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Bjørstad, T.E., Dent, A.W.: Building better signcryption schemes with Tag-KEMs. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 491–507. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_32
Boyen, X.: Multipurpose identity-based signcryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_23
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, FOCS 2001 (2001)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Datta, P., Dutta, R., Mukhopadhyay, S.: Compact attribute-based encryption and signcryption for general circuits from multilinear maps. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26617-6_1
Datta, P., Dutta, R., Mukhopadhyay, S.: Functional signcryption: notion, construction, and applications. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 268–288. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_15
Dent, A.W.: Hybrid signcryption schemes with insider security. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 253–266. Springer, Heidelberg (2005). https://doi.org/10.1007/11506157_22
Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SICOMP 30(2), 391–437 (2000)
Farshim, P., Libert, B., Paterson, K.G., Quaglia, E.A.: Robust encryption, revisited. In: Kurosawa, K., Hanaoka, G., (eds.) PKC (2013)
Gagné, M., Narayan, S., Safavi-Naini, R.: Threshold attribute-based signcryption. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 154–171. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_11
Gjøsteen, K., Kråkmo, L.: Universally Composable Signcryption. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 346–353. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73408-6_26
Goldwasser, S., Micali, S.: Probabilistic encryption. JCSS 28(2), 270–299 (1984)
Libert, B., Quisquater, J.-J.: A new identity based signcryption scheme from pairings. In: Proceedings 2003 IEEE Information Theory Workshop (Cat. No. 03EX674), pp. 155–158. IEEE (2003)
Libert, B., Quisquater, J.-J.: Efficient signcryption with key privacy from gap Diffie-Hellman groups. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 187–200. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_14
Liu, J.K., Baek, J., Zhou, J.: Online/offline identity-based signcryption revisited. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 36–51. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21518-6_3
Malone-Lee, J.: Identity-based signcryption. Cryptology ePrint Archive (2002)
Maurer, U.: Constructive cryptography - a new paradigm for security definitions and proofs. In: Theory of Security and Applications - Joint Workshop, TOSCA 2011, pp. 33–56 (2011). https://doi.org/10.1007/978-3-642-27375-9
Maurer, U., Portmann, C., Rito, G.: Multi-designated receiver signed public key encryption. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology. EUROCRYPT 2022. LNCS, vol. 13276, pp. 644–673. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_22
Mohassel, P.: A closer look at anonymity and robustness in encryption schemes. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 501–518. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_29
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437 (1990)
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8
Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the joint security of encryption and signature, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_9
Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35
Selvi, S.S.D., Sree Vivek, S., Pandu Rangan, C.: Identity based public verifiable signcryption scheme. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 244–260. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16280-0_17
Selvi, S.S.D., Vivek, S.S., Vinayagamurthy, D., Rangan, C.P.: ID based signcryption scheme in standard model. In: Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y. (eds.) ProvSec 2012. LNCS, vol. 7496, pp. 35–52. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33272-2_4
Steinfeld, R., Zheng, Y.: A signcryption scheme based on integer factorization. ISW 1975, 308–322 (2000)
Wang, Yang, Manulis, Mark, Au, Man Ho, Susilo, Willy: Relations among privacy notions for signcryption and key invisible “Sign-then-Encrypt’’. In: Boyd, Colin, Simpson, Leonie (eds.) ACISP 2013. LNCS, vol. 7959, pp. 187–202. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_13
Yung, M., Dent, A., Zheng, Y.: Practical Signcryption. Springer Science & Business Media, Heidelberg (2010). https://doi.org/10.1007/978-3-540-89411-7
Zheng, Y.: Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost(encryption). In: Kaliski, B.S. (eds.) Advances in Cryptology–CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234
Zheng, Y., Imai, H.: How to construct efficient signcryption schemes on elliptic curves. Inf. Process. Lett. 68(5), 227–233 (1998)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Agrawal, S., Agrawal, S., Prabhakaran, M., Raghunath, R., Singla, J. (2023). CASE: A New Frontier in Public-Key Authenticated Encryption. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14370. Springer, Cham. https://doi.org/10.1007/978-3-031-48618-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-48618-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48617-3
Online ISBN: 978-3-031-48618-0
eBook Packages: Computer ScienceComputer Science (R0)