Information Security and Cryptography Texts and Monog raphs Series Editors David Basin Ueli Maurer Advisory Board Martín Abadi Ross Anderson Michael Backes Ronald Cramer Virgil D. Gligor Oded Goldreich Joshua D. Guttman Arjen K. Lenstra John C. Mitchell Tatsuaki Okamoto Kenny Paterson Bart Preneel For further volumes: http://www.springer.com/series/4752 Alexander W. Dent · Yuliang Zheng Editors Practical Signcryption Foreword by Moti Yung 123 Editors Dr. Alexander W. Dent Prof. Yuliang Zheng Royal Holloway University of North Carolina, Charlotte University of London Dept. Software & Information Systems Information Security Group University City Blvd. 9201 TW20 0EX Egham, Surrey Charlotte, NC 28223 United Kingdom USA [email protected] [email protected] Series Editors Prof. Dr. David Basin Prof. Dr. Ueli Maurer ETH Zürich Switzerland [email protected] [email protected] ISSN 1619-7100 ISBN 978-3-540-89409-4 e-ISBN 978-3-540-89411-7 DOI 10.1007/978-3-540-89411-7 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2010935931 ACM Computing Classification (1998): E.3, K.4.4 c Springer-Verlag Berlin Heidelberg 2010 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad- casting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant pro- tective laws and regulations and therefore free for general use. Cover design: KuenkelLopka GmbH, Heidelberg Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Foreword Scientific exploration follows many directions, and this is as true for a technological science like “cryptography” as it is for any physical science. One central scientific direction involves finding new notions, new primitives, and new methods; defining them; implementing them; and then showing and proving the characteristics of these findings. In modern cryptography, the definition of new basic primitives and their security properties has been one of the primary activities of the last few decades (since the field was conceived in the later part of the twentieth century). Once a primitive is defined, a number of investigative directions take place: One direction is showing the basic tools (mathematical assumptions and basic cryp- tographic functions) that are necessary and sufficient for the primitive. A second direction involves finding more efficient implementations, where efficiency is mea- sured in terms of the complexity of the primitive (such as the time it takes, the space it consumes, the messages used, the rounds of communication employed). A third direction is extending the properties of the basic primitive and modifying it to achieve other interesting important tasks, or making sure it operates in a different environment than it was originally intended for. Yet, a fourth direction is finding system’s needs and applications that crucially exploit the primitive (either inher- ently, as a functional enhancement of an application or as a contributor to efficiency improvement); this direction eventually leads to actual working systems that can be exploited by actual computing systems. Note that other directions for investigation are known, such as reductions between primitives, generalization of primitives into a super-primitive. Once a primitive is born, its development often progresses in quite unexpected and mysterious ways. Two of the cornerstones of modern cryptography are public-key encryption as implemented via public-key cryptosystems and digital signatures as implemented by signature schemes. Public-key cryptosystems are a concealment mechanism. Employing the cryptosystem enables a party (a sender) to encrypt a confidential message to a second party (a receiver) without the need to share an initial secret; the only thing needed is for the receiver to publicize the public portion of its key (the encryption key), while keeping secret the decryption key. Digital signatures, on the other hand, are an integrity mechanism. These enable a party to send a message with a signature tag that verifies the origin of the message (i.e., authenticates the v vi Foreword sender) to any receiver; the only thing needed is for the sender to initially publicize its public verification key while keeping secret the corresponding signing key. There are a very high number of variations of the concepts of public-key cryp- tosystems and digital signature schemes. Many properties have been added, and the definition and characteristic of these primitive, as well as efficient implementations of them and their variations, have been thoroughly investigated. These primitives have also been implemented as important underlying components in various security protocols used to secure computing and communication infrastructures (the Internet, the Web, the mobile networks, and so on). The book “Practical Signcryption” by Alex Dent and Yuliang Zheng consid- ers a very interesting primitive, originally the brainchild of Yuliang Zheng, called “Signcryption.” The name of this primitive tells it all: It is a primitive that combines the functionality of digital signatures and that of public-key encryption. Often in science, when primitives are defined, there is an issue with their combination and interoperability. Note that in computer science in general, the notion of combination is very important, since complex structures need to be developed in pieces, and therefore modularity is a critical notion which enables the development of pieces which can be combined into more complete systems. Combination can be performed in many ways. For example, one can envision a simple concatenation of the prim- itives (i.e., performing the first and then the second); however, even such a simple combination presents a challenge in cryptographic research, since the combination may not preserve the security properties of each of the components. Signcryption is a result of realizing that often one wants to send a message that is concealed (readable only by the intended receiver) and authenticated (verified as originating from the specified sender). This combination is natural in numerous applications. The original motivation for “signcryption” (which is a much shorter word than the expression “signature and encryption”) was to gain efficiency, namely to allow both actions to be done more efficiently than just a serial composition of the two components (e.g., to get a shorter cryptogram representing both encryption and signature than is obtained merely by first encrypting the message into a ciphertext and then signing the ciphertext). Once the above was shown possible, at that very moment, a new primitive was born and the book covers the many aspects of developments around this primitive of signcryption. These developments include achieving efficient constructions, achiev- ing provably secure constructions under various models, getting efficient schemes in various algebraic domains, getting new techniques to design the primitives in vari- ous settings, and getting applications and actual implementations of it. The book covers all these areas by chapters that are written by the world-renowned cryp- tographers who have been in the frontier of research and who have actually been responsible for many of these numerous interesting developments. Note further that the authors of the various chapter demonstrate, by their wide geographical spread, the global nature of advanced cryptographic research nowadays. The story of signcryption has taught us that “combining natural primitives” has strong research and development potential in many ways, and especially it has a good chance in reducing complexities when measured against a naive combination. Foreword vii In fact, I learned this lesson myself and applied it a few years after signcryption had been conceived. Together with J. Katz, we studied the combination of private key encryption and message authentication codes (which is the “symmetric key cryptog- raphy” equivalent of what signcryption is in the “public-key cryptography” area). This primitive, now called “authenticated encryption,” which has also been studied by a number of other groups has found numerous applications and is an outcome of the approach pioneered by the notion of signcryption. The “Practical Signcryption” book can be a handbook on the state of the art of signcryption, specifically, and, at the same time, can serve as a way to historically view how this specific subject has evolved. On a more general level, the book can serve as an example how cryptographic primitives are conceived and how research in this general area evolves, going through various stages from the theoretical and mathematical development stage all the way to the practical stage (i.e., into sys- tems and standardization). In other words, the book serves two purposes: (1) it is the definitive source on signcryption and (2) it is also a prototypical example to learn from how research on cryptographic primitives