Communications of the ACM
ACISP '01 Proceedings of the 6th Australasian Conference on Information Security and Privacy
Adaptive Security for Threshold Cryptosystems
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Digital Signcryption or How to Achieve Cost(Signature & Encryption)
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
On the Security of Joint Signature and Encryption
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Minimizing the use of random oracles in authenticated encryption schemes
ICICS '97 Proceedings of the First International Conference on Information and Communication Security
Adaptive Security in the Threshold Setting: From Cryptosystems to Signature Schemes
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Secure Distributed Key Generation for Discrete-Log Based Cryptosystems
Journal of Cryptology
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Adaptively secure threshold cryptography: introducing concurrency, removing erasures
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Practical threshold signatures without random oracles
ProvSec'07 Proceedings of the 1st international conference on Provable security
Fully secure threshold unsigncryption
ProvSec'10 Proceedings of the 4th international conference on Provable security
One-time signatures and Chameleon hash functions
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Short threshold signature schemes without random oracles
INDOCRYPT'05 Proceedings of the 6th international conference on Cryptology in India
ID-Based threshold unsigncryption scheme from pairings
CISC'05 Proceedings of the First SKLOIS conference on Information Security and Cryptology
Chosen ciphertext secure public key threshold encryption without random oracles
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
Strongly unforgeable signatures based on computational diffie-hellman
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Provably secure identity-based threshold unsigncryption scheme
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Hi-index | 0.00 |
The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.