2signcryption complete (3)

8/7/2019 2signcryption complete (3)

1/26

SIGNCRYPTION

Seminar ID: 181

A Technical Seminar Reportsubmitted in partial fulfillment of

the requirements for theDegree of Bachelor of Technology

Under Biju Patnaik University of Technology

By

Kishore Chandra Sahoo Roll # IT200710098

February- 2011

Under the guidance of

Mrs. Sasmita Padhy


2/26

NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGYPalur Hills, Berhampur, Orissa 761008, India

ABSTRACT

Signcryption is a new cryptographic primitive which simultaneously provides both

confidentiality and authenticity. Previously, these two goals had been considered

separately, with encryption schemes providing confidentiality and signature schemes

providing authenticity. In cases where both were required, the encryption and

signature operations were simply sequentially composed.

In 1997, Zheng demonstrated that by combining both goals into a single primitive, it

is possible to achieve significant savings both in computational and communication

overhead. Since then, a wide variety of signcryption schemes have been proposed.

Signcryption is a new cryptographic primitive, which simultaneously provides both

confidentiality and authenticity. Previously, these two goals had been considered

separately, with encryption scheme provide confidentiality and digital signature

provides authenticity. In cases where both required, the encryption operations and

digital signature operations were simply sequentially composed. In 1998, Zheng

demonstrated that by combining both goals into a single primitive it is possible to

achieve significant savings both in computational and communication overhead. Since

a wide variety of signcryption schemes have been proposed. In this seminar we

discuss one algorithm for signcryption and advantages and disadvantages of

signcryption.

ii


3/26

ACKNOWLEDGEMENT

It is my proud privilege to epitomize deepest sense of gratitude and indebtedness to

my guide, Mrs. Sasmita Padhy for her valuable guidance, keen and sustainedinterest.

I would like to thank Mr. Purnendu Mishra for his help and support towards our

B.Tech Technical seminar.

I acknowledge with immense pleasure the sustained interest, encouraging attitude and

constant inspiration rendered by Prof. Sangram Mudali, Director, N.I.S.T. Hiscontinued drive for better quality in everything that happens at N.I.S.T. and selfless

inspiration has always helped us to move ahead.

KISHORE CHANDRA SAHOO

i


4/26

TABLE OF CONTENTS

ABSTRACT ......................................ii

ACKNOWLEDGEMENT............................................................................................i

TABLE OF CONTENTS............................................................................................ii

LIST OF FIGURES....................................................................................................iv

1. INTRODUCTION....................................................................................................5

1.1. Why Signcryption?..............................................................................................6

1.1.1 Based on discrete algorithm problem, ..........................................................6

1.1.2 Using RSA cryptosystem..............................................................................6

2. SIGNCRYPTION HOW IT WORKS.................................................................72.1 Basic Architecture................................................................................................8

2.2 Steps involved in Unsigncrypting a message.....................................................10

3. SIGNCRYPTION FROM TRAPDOOR PERMUTATION..............................12

3.1 Trapdoor Permutation Families..........................................................................12

3.1.1 Syntax..........................................................................................................12

3.1.2 Security........................................................................................................13

3.2 Cryptography from Trapdoor Permutations.......................................................13

3.2.1 Drawbacks...................................................................................................14

3.2.2 Advantage....................................................................................................15

4. FEATURES AND SECURITY ASPECTS OF SIGNCRYPTION...................16

4.1 Features..............................................................................................................16

4.1.1 Unique Unsigncryptability .........................................................................16

4.1.2 Security .......................................................................................................16

4.1.3 Efficiency....................................................................................................16

4.2 Security..............................................................................................................16

4.2.1 Unforgeability ............................................................................................16

4.2.2 Confidentiality.............................................................................................17

4.3 Comparisons.......................................................................................................17

5. ADVANTAGES AND DISADVANTAGES OF DIGITAL SIGNCRYPTION18

5.1 Advantages.........................................................................................................18

5.1.1 Low computational cost..............................................................................18

5.1.2 Higher security............................................................................................18

ii


5/26

5.1.3 Message Recovery.......................................................................................19

5.2 Disadvantages.....................................................................................................20

6. POSSIBLE APPLICATIONS OF DIGITAL SIGNCRYPTION......................21

6.1 LM Signcryption and its application in WTLS Handshake Protocol.................21

6.2 Using Signcryption in unforgeable key establishment over ATM Networks....22

7. CONCLUSION.......................................................................................................23

REFERENCES...........................................................................................................24

iii


6/26

LIST OF FIGURES

Figure 2.1 Signcryption - generating k1 and k2........................................................8

Figure 2.2: Signcryption - generating components c and r......................................9

Figure 2.3: Signcryption - generating component s..................................................9

Figure 2.4: Unsigncryption- generating component k............................................10

Figure 2.5: Unsigncryption obtaining the message m..........................................10

Figure 2.6: Unsigncryption verification of the message m..................................11

Figure 5.1: Security of Combination of Algorithms...............................................19

Figure 5.2: Disadvantage of Signcryption................................................................20

Figure 7.1: Future Scenario of Signcryption...........................................................23

iv


7/26

SIGNCRYPTION

1. INTRODUCTION

In order to send a confidential letter in a way that it cannot be forged, it has been a

common practice for the sender of the letter to sign it, put it in an envelope and thenseal it before handing it over to be delivered.

Discovering Public key cryptography has made communication between people who

have never met before over an open and insecure network, in a secure and

authenticated way possible. Before sending a message, the sender has to do the

following:

Sign it using a Digital Signature (DS) scheme Encrypt the message and the signature using a private key encryption

algorithm under randomly chosen message encryption key

Encrypt the random message encryption key using the receivers public key

Send the message following steps 1 to 3.

This approach is knows as signature-then-encryption. The main disadvantage of this

approach is that, digitally signing a message and then encrypting it, consumes moremachine cycles and bloats the message by introducing extended bits to it. Hence,

decrypting and verifying the message at the receivers end, a lot of computational

power is used up.

Thus you can say that the cost of delivering a message using signing-then-encryption

is in effect the sum of the costs of both digital signatures and public key encryption.

Signcryption is a new paradigm in public key cryptography that simultaneously fulfils

both the functions of digital signature and public key encryption in a logically single

step, and with a cost significantly lower than that required by the traditional signature

followed by encryption.

5


8/26

SIGNCRYPTION

1.1. Why Signcryption?

1.1.1 Based on discrete algorithm problem,

Signcryption costs 58% less in average computation time and 70% less in messageexpansion than does signature then encryption.

1.1.2 Using RSA cryptosystem

It costs on average 50% less in computation time and 91% less in message expansion

than signature-then-encryption does.

6


9/26

SIGNCRYPTION

2. SIGNCRYPTION HOW IT WORKS

Signcryption can be defined as a combination of two schemes; one of digital

signatures and the other of public key encryption. One can implement Signcryption byusing El Gamals shortened digital signature scheme, Schnorrs signature scheme or

any other digital signature schemes in conjunction with a public key encryption

scheme like DES, 3DES or SPEED. This choice would be made based on the level of

security desired by the users. Here we present the implementation of Signcryption

using ElGamals shortened signature scheme and a public key encryption algorithm

denoted by E and D(Encryption and Decryption algorithms).

Compared with DSS, SDSS1 and SDSS2 have the following advantages:

1. Their signatures are shorter

2. No modular inversion or division is required in signature verification.

3. They both admit provable security, albeit in the random oracle model

These are the parameters involved in the Signcryption algorithm:

Parameters public to all p a large prime number

q a large prime factor of p-1

g an integer with order q modulo p chosen randomly from [1,,p-1] Hash a one-

way hash function whose output has, say, at least 128 bits KH a keyed one-way

hash function (E, D)

The encryption and decryption algorithms of a private key cipher Alices keys xa

Alices private key, chosen uniformly at random from [1,,q-1]

ya Alices public key (ya = gxa mod p)

Bobs keys xb Bobs private key, chosen uniformly at random from [1,,q-1]

yb Bobs public key (yb = gxb mod p)

7


10/26

SIGNCRYPTION

2.1 Basic Architecture

We are taking an example in which Alice is sender and bob is receiver. So Alice is

having a message m, which wants to send to bob in an unsecured channel, hence he

uses signcryption mechanism to send the message to bob so that message would

remain safe. So below steps are discussed which are involved in Signcrypting the

message.

Figure 2.1 Signcryption - generating k1 and k2

1. Alice chooses a value x from the large range 1,,q-1

2. She then uses Bobs public key and the value x and computes the hash of it. This will

give her a 128-bit string. K = hash (ybx mod p)

3. She then splits this 128-bit value K into two 64-bit halves. We can name them as k1

and k2 and refer to them as the key pair.

4. Next, Alice encrypts the message m using a public key encryption scheme E with the

key k1. This will give her the cipher text c. c = E k1 (m)

5. Then, she uses the key k2 in the one-way keyed hash function KH to get a hash of the

message m. This will give her a 128-bit hash, which we will call r. This process uses

the SDSS Algorithm. r = KH k2 (m)

6. Just like in SDSS, Alice then computes the value of s. She does this using the value of

x, her private key xa, the large prime number q and the value of r.

8


11/26

SIGNCRYPTION

s = x / (r + xa)mod q

7. Alice now has three different values, c, r and s. She then has to get these three values

to Bob in order to complete the transaction. She can do this in a couple of ways. She

can send them all at one time. She can also send them at separately using secure

transmission channels, which would increase security. Thus on her part, Signcryption

of the message is done.

Figure 2.2: Signcryption - generating components c and r.

Figure 2.3: Signcryption - generating component s

9


12/26

SIGNCRYPTION

2.2 Steps involved in Unsigncrypting a message

Figure 2.4: Unsigncryption- generating component k

1. Bob receives the 3 values that Alice has sent him, c, r and s. He uses the values of r

and s, his private key xb, Alices public key ya and p and g to compute a hash which

would give him 128-bit result.

K = hash ((ya * gr)s X xb mod p)

This 128-bit hash result is then split into two 64-bit halves which would give

him a key pair (k1,k2). This key pair would be identical to the key pair that

was generated while Signcrypting the message.

2. Bob then uses the key, k1, to decrypt the cipher text c, which will give him the

message m. m = Dk1(c)

Figure 2.5: Unsigncryption obtaining the message m

10


13/26

SIGNCRYPTION

Figure 2.6: Unsigncryption verification of the message m

3. Now Bob does a one-way keyed hash function on m using the key k2 and compares

the result with the value r he received from Alice. If they match, it means that the

message m was indeed signed and sent by Alice, if not Bob will know that the

message was either not signed by Alice or was intercepted and modified by an

intruder. Thus Bob accepts the message only if KHk2(m) = r.

11


14/26

SIGNCRYPTION

3. SIGNCRYPTION FROM TRAPDOORPERMUTATION

3.1 Trapdoor Permutation Families

Trapdoor permutations are an important building block of public key cryptography. A

trapdoor permutation is simply a permutation f : S S on some finite set S, which

can be efficiently evaluated by anyone, but whose inverse permutation f1 : S S

can only be efficiently evaluated by using some secret trapdoor information.

3.1.1 Syntax

More formally, we define a trapdoor permutation family as a triple of

algorithms(Trap-Gen, Eval, Invert):

Trap Gen is a randomized algorithm which accepts 1k, where k is a Security

parameter, and outputs a pair(f,f1),where f is a permutation over some set S and f1

is its inverse permutation. This Operation is denoted by:

(f,f1) Trap-Gen(1k).

Eval is a deterministic algorithm which accepts permutation f generated by Trap-

Gen, as well as some x S, where S is the set over which f is defined. It outputs

some y S. This operation is denoted by:

y Eval(f,x),or simply y f(x).

Invert is a deterministic algorithm which accepts some f1 generated by Trap-Gen

and some y S, where S is the set over which f is 41defined.Itoutputssome x S.

This operation is denoted by:

x Invert(f1,y),or simply x f1(y).Where h at f1(f(x))= x for all x, and for all pairs(f,f1)generated by Trap-

Gen. This ensures both that f is a permutation, and that f1 is the inverse

permutation of f.

12


15/26

SIGNCRYPTION

3.1.2 Security

As the case for encryption, signature, and signcryption schemes, we define the

security of at trapdoor permutation family in terms of the goal and capabilities of an

adversary.

We will take the goal of the adversary to be inverting a randomly chosen element. To

achieve this goal, the adversary A must win the following game:

1. (f,f1) Trap-Gen(1k)

2. y R S (where S is the set over which f is defined)

3. x A(f,y).

A wins in the case that x = f1(y). As for the capabilities of the adversary, we only

give it access to the permutation f. We require that a trapdoor Permutation family

satisfy Pr[A wins] < negl(k)for any such adversary A.

Note that we have chosen a particularly strong goal for the adversary, and given it

particularly weak capabilities.

This means that the security level provided by a trapdoor permutation family is quite

weak. However, it is still possible to build strongly secure encryption and signature

schemes from trap door permutation families. As we will see in this chapter, it is also

possible to build strongly secure signcryption schemes from them. Thus their weak

notion of security is an advantage, making them easier to construct and analyze.

3.2 Cryptography from Trapdoor Permutations

Originally, trapdoor permutations were used directly as encryption and signature

schemes. For example, to encrypt a message m for a recipient B, one would simply

compute c = fB(m), where fB is Bs trapdoor function. Of course, the recipient would

then compute m = f1 B (c) using his secret trapdoor information. Unfortunately, this

simple scheme does not provide indistinguishability, since anyone can distinguish

between f(m0) and f(m1), for any m0 and m1. Similarly, to sign a message m, a

13


16/26

SIGNCRYPTION

sender A would simply compute s = f1 A (m), and then anyone could verify that

fA(s) = m.

However, this does not provide unforgeability, since any user can compute valid

message/signature pairs (fA(s0), s0) for any s0. The solution to both of these

problems is to first apply a padding function to the message, then apply the trapdoor

permutation to some or all of the padded message.

3.2.1 Drawbacks

This scheme has the following drawbacks:

Each user must maintain two distinct trapdoor permutations: one for

encrypting (f), and one for signing (g).

Two padding steps are required; one for encryption, and one for signature.

Since padding steps generally lengthen their inputs, this unnecessarily

lengthens the input to the second trapdoor permutation, as well as the final

ciphertext output.

The identity of the recipient is appended before signing, and the identity of the

sender is appended before encrypting. This unnecessarily lengthens the inputs

to the trapdoor permutations, as well as the final ciphertext output. Dodis,

Freedman, Jarecki, and Walfish have proposed a series of trapdoor-based

signcryption schemes which addresses all three of these problems.

Their schemes require each user to maintain only a single trapdoor permutation,

which is used to achieve both confidentiality and authenticity. Only a single padding

step is required, which is applied just before the trapdoor permutations of the sender

and recipient. The identities of the sender and recipient are fed in as inputs to the

padding step, but do not lengthen its output.

14


17/26

SIGNCRYPTION

3.2.2 Advantage

This mode has the advantage that the two trapdoor permutations can be applied in

parallel, but the disadvantage that the minimum ciphertext length is twice the output

size of the trapdoor permutations. A further advantage is that fA and fB can be of

different lengths.

Sequential mode: u fB(f1 A (w||s)). In this case, the trapdoor permutations

must be applied sequentially, but the minimum ciphertext length is half that of

the parallel method.

Extended sequential mode: u fB(f1 A (w))||s. This mode is a slight

modification of the sequential mode. Its minimum ciphertext length is only

slightly longer than that of the sequential method (since s can be chosen to be

very short), while it admits a much tighter security proof.

15


18/26

SIGNCRYPTION

4. FEATURES AND SECURITY ASPECTS OFSIGNCRYPTION

4.1 Features

Digital Signcryption strives to do digital signature and public key encryption in one

logical step, with a cost less than that required by each of those steps done separately.

Let us assume that S is the Signcryption algorithm and U is the Unsigncryption

algorithm. The following three aspects define the features of Signcryption: -

4.1.1 Unique Unsigncryptability

A message m of arbitrary length is Signcrypted using the algorithm S. This will give a

Signcrypted output c. The receiver can apply Unsigncryption U on c to verify the

message m. This Unsigncryption is unique to the message m and the sender.

4.1.2 Security

Since Signcryption is a combination of two security schemes, digital signatures as

well as public key encryption, it is likely to be more secure and would ensure that the

message sent couldnt be forged, the contents of which are confidential and ensures

non-repudiation.

4.1.3 Efficiency

The cost of computation involved when applying the Signcryption and

Unsigncryption algorithms as well as the communication overhead is much smaller

than with signature-then-encryption schemes.

4.2 Security

4.2.1 Unforgeability

Bob is in the best position to be able to forge any Signcrypted message from Alice as

only he is in possession of his private key, xb, which is required to directly verify

16


19/26

SIGNCRYPTION

Alices message. Given the Signcrypted text of c, r and s, Bob can only obtain the

message m by decrypting it using his private key xb. Any changes he then makes to

the message m will reflect in the next step of Signcryption, which will ensure that the

one-way keyed hash function on the message m, will not match the value r. Thus Bob,

the prime candidate for this kind of attack, is prevented from forging Alices

Signcrypted message.

4.2.2 Confidentiality

Given that an attacker has obtained all three components of the Signcrypted message,

c, r and s, he still would not be able to get any partial information of the message m

because he would have to also know Bobs private key as well as the two large prime

number p and its factorial q, known only to Alice and Bob. This is not feasible, as we

know that deriving a factorial from a large prime number is not practical.

4.3 Comparisons

The advantage of signcryption over signature-then-encryption lies in the dramatic

reduction of computational cost and communication overhead, which can besymbolized by the following inequality:

Cost (Signcryption)< Cost (signature)+Cost (encryption)

17


20/26

SIGNCRYPTION

5. ADVANTAGES AND DISADVANTAGES OFDIGITAL SIGNCRYPTION

5.1 Advantages

5.1.1 Low computational cost

Signcryption is an efficient scheme as it does two steps at once during Signcryption

and Unsigncryption. When you think of this in terms of one person sending a

Signcrypted message to another person using a mobile device, computation cost does

not really matter much. Computational power of processors has developed vastly

these days, so if you were to consider Signcrypting network traffic between two

stations or all of the traffic on a certain network, then computational power as well

savings in bandwidth are major factors.

5.1.2 Higher security

One can argue the fact that whether the bringing together of two security schemes

would increase or decrease security. In our groups view, it would only increase

security. We base this on the fact that when you combine two security schemes, which

by themselves are complex enough to withstand attacks, it can only lead to added

security.

Consider the following: -

X Any Digital Signature Algorithm

Y Any Encryption Algorithm

X Total Number of Signature Algorithms known

Y Total Number of Encryption Algorithms known

Therefore the combination of the schemes X and Y would give you the

Signcryption scheme S. S = X U Y

18


21/26

SIGNCRYPTION

Figure 5.1: Security of Combination of Algorithms

If you consider the fact that both X and Y involve complex mathematical functions, it

is only logical to assume that S, which is a combination of both X and Y will involve

the combination of the complexities of both X and Y and thus be more complex. More

the complexity, more the harder it is for cryptanalysis. Another point to be noted here

is that X, the digital signature algorithm, can be chosen from a large range of existing

digital signature algorithms, X. Similarly the encryption algorithm for Y can be

chosen from any encryption algorithm like 3DES, DES, etc from the range Y. Thus

the Signcryption algorithm can be implemented using any of the values in X and Y.

This would make it very difficult for a cryptanalyst to figure out which

implementation was used in the Signcrypting algorithm. Basically he would have X x

Y >= X V Y i.e. the cryptanalyst would have to decide between the number of total

digital signature algorithms times the number of encryption algorithms, which is

greater or equal to either the number of X or Y.

5.1.3 Message Recovery

Consider the following scenario: Alice signs and encrypts a message and sends it to

Bob. A while later, she wants to use the contents of the message again. To satisfy

Alice's requirement, her electronic mail system has to store some data related to the

message sent. And depending on cryptographic algorithms used, Alice's electronic

mail system may either keep a copy of the signed and encrypted message as

evidence of transmission, or in addition to the above copy, keep a copy of the

19


22/26

SIGNCRYPTION

original message, either in clear or encrypted form. A cryptographic algorithm or

protocol is said to provide a past recovery ability if Alice can recover the message

from the signed and encrypted message using only her private key. While both

Signcryption and signature-then-encryption-with-astatic-key" provide past recovery,

signature-then-encryption" does not. One may view signature-then-encryption" as

an information black hole" with respect to Alice the sender: whatsoever Alice drops

in the black hole" will never be retrievable to her, unless a separate copy is kept

properly.

5.2 Disadvantages

Figure 5.2: Disadvantage of Signcryption

The way Signcryption algorithm works currently, Alice has to use Bobs public key to

signcrypt a message. This has a disadvantage when you consider the need to broadcast

a Signcrypted text. Imagine a bank needs to send a Signcrypted message to a number

of share traders. With the current algorithm, it needs to signcrypt the message with

each of its intended recipients public keys and send them separately to each one of

them. This approach is redundant in terms of bandwidth consumption and

computational resource usage. There is a research going on to solve this by

introducing a group key between the bank and the clients that it intends to send

Signcrypted text and use that to broadcast Signcrypted messages.

20


23/26

SIGNCRYPTION

6. POSSIBLE APPLICATIONS OF DIGITALSIGNCRYPTION

6.1 LM Signcryption and its application in WTLSHandshake Protocol

The mobile telecommunications business is booming. Tiny digital telephones and

sleek pocketsize PDAs (personal digital assistants) are now more than just fashion

accessories. The ability to connect to the Internet is a major feature that attracts

people to them. It means that mobile communication devices and client mobile

devices are now ready to access the Web. This scenario has given rise to a big

question in the minds of users, is it secure? Accordingly, operators and manufactures

have responded by establishing the WAP (Wireless Application Protocol) forum.

The WAP forum has already developed WTLS (Wireless Transport Layer Security)

layer for secured communication in the WAP environment. The primary goal of

WTLS is to provide privacy, data integrity and AKA (Authentication and Key

Agreement) between communication entities.

Authenticity and confidentiality must be provided by a suitable encryption scheme in

case of mobile communication. One way to implement this is to first digitally sign the

message and encrypt it. This is commonly known as Signature-thenencryption. The

other is vice-versa, called encryption-then-signature. Currently, the WTLS handshake

protocol is used for secure communication through mobile devices. This handshake

uses AKA protocol with an end-to-end connection. In handshake message flow, user

certificate is sent to the recipient without encryption or another cryptographic scheme.

In this scenario an attacker can get the certificate by eavesdropping on the

transmission interface and can figure out user information from the certificate. This

can provide the attacker with the user's location and activity.

If Signcryption is used to send messages with mobile devices it will rectify this gap

by providing stronger security. By the use of Signcryption, bandwidth use can be

reduced and computational load can be decreased without compromising on thesecurity of the message.

21


24/26

SIGNCRYPTION

6.2 Using Signcryption in unforgeable keyestablishment over ATM Networks

The asynchronous transfer mode (ATM) is a high speed networking technique for

public networks capable of supporting many classes of traffic.

It is essentially a packet-switching technique that uses short fixed length packets

called cells. Fixed length cells simplify the design of an ATM switch at the high

switching speeds involved. The selection of a short fixed length cell reduces the

delay. ATM is capable of supporting a wide range of traffic types such as voice,

video, image and various data traffic.

In ATM networks data packets are typically 53 bytes. Only 48 bytes out of 53 bytes in

an ATM cell can be used for transmitting data, as the remaining 5 bytes are reserved

for storing control information. Thus transmitting encryption key materials of more

than 384 bits (48 bytes) over an ATM network would require two or more ATM cells.

In a fast network such as ATM, if data packets are divided then there could be

considerable delay due to packetization, buffering and reassembling data units.

So, the need of the hour is to design an authenticated key establishment protocol that

does not rely on a key distribution system,

has low resource requirements,

message is as short as possible and

offers unforgeability and non-repudiation.

In such a scenario, Signcryption or a modified usage of Signcryption can solve the

problem by minimizing message size as well as ensuring unforgeability and

nonrepudiation. Extensive research is going on in use of Signcryption in key

establishment over ATM networks. It is expected that within a few years it will

actually be implemented.

22


25/26

SIGNCRYPTION

7. CONCLUSION

Signcryption is a very novel idea that, if implemented in the right way, can be very

useful.

Figure 7.1: Future Scenario of Signcryption

In life, it is human nature to try and do two things at once, or to kill two birds in one

stone. Humans do this to make shortcuts, save on time and resources. Is this best

approach to do things? In terms of computer security, like we explained before, we

believe that by combining two complex mathematical functions, you will increase the

complexity and in turn increase security. Signcryption still has a long way to go

before it can be implemented effectively and research is still going on in various parts

of the world to try to come up with a much more effective way of implementing this.

23


26/26

SIGNCRYPTION

REFERENCES

[1] http://www.signcryption.org/introduction/

[2] http://coitweb.uncc.edu/~yzheng/publications/[3] http://www.uow.edu.au/~guilin/bible/signcryption.htm

[4] http://portal.acm.org/citation.cfm?id=1633804.1634880

[5] Alex Dent and Yuliang Zheng: Practical Signcryption, a volume in

Information Security and Cryptography, Springer-Verlag, Berlin,

[6] Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall PTR.

[7] JeeHeaAn, Yevgeniy Dodis ,and TalRabin. On the security of joint signature

and encryption. In L.R.Knudsen, editor, Proc.ofEurocrypt02, volume 2332 ofLNCS, pages83107. Springer-Verlag,2002. Updated versionavailableat:

http://theory.lcs.mit.edu/yevgen/ps/signcrypt.
http://www.uow.edu.au/~guilin/bible/signcryption.htmhttp://portal.acm.org/citation.cfm?id=1633804.1634880http://www.springer.com/computer/security+and+cryptology/book/978-3-540-89409-4http://www.springer.de/http://www.uow.edu.au/~guilin/bible/signcryption.htmhttp://portal.acm.org/citation.cfm?id=1633804.1634880http://www.springer.com/computer/security+and+cryptology/book/978-3-540-89409-4http://www.springer.de/

Documents

2signcryption complete (3)