摘要
A highly practical parallel signcrypUon scheme named PLSC from trapdoor permutations (TDPs for short) was built to perform long messages directly. The new scheme follows the Idea "scramble all, and encrypt small", using some scrambling operation on message m along with the user's Identities, and then passing, In paraliel, small parts of the scrambling result through corresponding TOPs. This design enables the scheme to flexibly perform long messages of arbitrary length while avoid repeatedly invoking TDP operations such as the CBC mode, or verbosely black-box composing symmetric encryption and slgncryption, resulting in noticeable practical sevlngs in both message bandwidth and efficiency. Concretely, the signcryptlon scheme requires exactly one computation of the "receiver's TDP" (for "encryptlon") and one Inverse computation of the "sender's TDP" (for "authentication"), which Is of great practical significance in directly performing long messages, since the major bottleneck for many public encryptlon schemes is the excessive computational overhead of performing TDP operations. Cutting out the verbosely repeated padding, the newly proposed scheme Is more efficient than a black-box hybrid scheme. Most importantly, the proposed scheme has been proven to be tightly semanUcaiiy secure under adaptive chosen clphertext attacks (iND-CCA2) and to provide integrity of clphertext (INT-CTXT) as well as non-repudiation in the random oracle model. All of these security guarantees are provided in the full multi-user, insider-security setting. Moreover, though the scheme is designed to perform long messages, it may also be appropriate for settings where It is Impractical to perform large block of messages (i.e. extremely low memory environments such as smart cards).
A highly practical parallel signcrypUon scheme named PLSC from trapdoor permutations (TDPs for short) was built to perform long messages directly. The new scheme follows the Idea "scramble all, and encrypt small", using some scrambling operation on message m along with the user's Identities, and then passing, In paraliel, small parts of the scrambling result through corresponding TOPs. This design enables the scheme to flexibly perform long messages of arbitrary length while avoid repeatedly invoking TDP operations such as the CBC mode, or verbosely black-box composing symmetric encryption and slgncryption, resulting in noticeable practical sevlngs in both message bandwidth and efficiency. Concretely, the signcryptlon scheme requires exactly one computation of the "receiver's TDP" (for "encryptlon") and one Inverse computation of the "sender's TDP" (for "authentication"), which Is of great practical significance in directly performing long messages, since the major bottleneck for many public encryptlon schemes is the excessive computational overhead of performing TDP operations. Cutting out the verbosely repeated padding, the newly proposed scheme Is more efficient than a black-box hybrid scheme. Most importantly, the proposed scheme has been proven to be tightly semanUcaiiy secure under adaptive chosen clphertext attacks (iND-CCA2) and to provide integrity of clphertext (INT-CTXT) as well as non-repudiation in the random oracle model. All of these security guarantees are provided in the full multi-user, insider-security setting. Moreover, though the scheme is designed to perform long messages, it may also be appropriate for settings where It is Impractical to perform large block of messages (i.e. extremely low memory environments such as smart cards).
基金
Supported by the National Basic Research Program (Grant No. 2004CB318004)
the National Natural Science Foundation of China (Grant Nos. 60373047 and 90604036)
