Sign-then-encrypt with security enhancement and compressed ciphertext

Abstract

Sign-then-encrypt is a classical composition method of public-key encryption (PKE) and signatures. It is also viewed as a generic construction of signcryption scheme, a primitive that provides confidentiality and authenticity simultaneously. In this work, we study how to sign-then-encrypt with CPA-to-CCA security enhancement and shorter ciphertext.

Our first step is to combine sign-then-encrypt with the Fujisaki-Okamoto (FO) transformation. The FO transformation is a useful technique to construct CCA-secure PKE from CPA-secure schemes in the random oracle model (ROM). Some extra randomness should be encrypted in the FO transformation. We show that when combined with sign-then-encrypt, we can realize “free” FO transformation by replacing the encrypted randomness in the FO transformation with a high-entropy signature. Then we give another construction based on a variant of the FO transformation, requiring a CPA-secure key encapsulation mechanism (KEM) instead of PKE.

Our second step is to further compress the ciphertext, focusing on signatures from the Fiat-Shamir transformation. We use the challenge part of the signature as the random coins used in the KEM, for which we call our general construction “Encrypt-with-Challenge”. Requiring some joint properties between the signature scheme and the KEM, the symmetric key or the key encapsulation can replace the challenge in the signature. We thus further remove the encrypted challenge from the ciphertext.

Finally, we give instantiations of Encrypt-with-Challenge. Our ElGamal-based construction has comparable ciphertext size with existing signcryption schemes and is the first to achieve CCA security from standard CDH assumption.