Signcryption (Short Survey)

Encryption and signature schemes are fundamental cryptographic tools for providing privacy and authenticity, respectively, in the public-key setting. Traditionally, these two important building-blocks of public-key cryptography have been considered as distinct entities that may be composed in various ways to ensure simultaneous message privacy and authentication. However, in the last few years a new, separate primitive — called signcryption [14] — has emerged to model a process simultaneously achieving privacy and authenticity. This emergence was caused by many related reasons. The obvious one is the fact that given that both privacy and authenticity are simultaneously needed in so many applications, it makes a lot of sense to invest special effort into designing a tailored, more efficient solution than a mere composition of signature and encryption. Another reason is that viewing authenticated encryption as a separate primitive may conceptually simplify the design of complex protocols which require both privacy and authenticity, as signcryption could now be viewed as an “indivisible” atomic operation. Perhaps most importantly, it was noticed by [3, 2] (following some previous work in the symmetric-key setting [4, 10]) that proper modeling of signcryption is not so obvious. For example, a straightforward composition of signature and encryption might not always work; at least, unless some special care is applied [2]. The main reason for such difficulties is the fact that signcryption is a complex multi-user primitive, which opens a possibility for some subtle attacks (discussed below), not present in the settings of stand-alone signature and encryption.