On the RCCA Security of Hybrid Signcryption for Internet of Things

الملخص EN

With the rapid development of the Internet of Things (IoT), a lot of sensitive information in our daily lives are now digitalized and open to remote access.

The provision of security and privacy of such data would incur comprehensive cryptographic services and has raised wide concern.

Hybrid signcryption schemes could achieve various kinds of cryptographic services (e.g., confidentiality, authenticity, and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with each providing a single cryptographic service.

Thus, hybrid signcryption schemes are very suitable for IoT environments where resources are generally very constrained (e.g., lightweight sensors and mobile phones).

To ensure that the overall hybrid signcryption scheme provides adequate cryptographic service (e.g., confidentiality, integrity, and authentication), its parts of KEM (key encryption mechanism) and DEM (data encryption mechanism) must satisfy some security requirements.

Chosen-ciphertext attack (CCA) security has been widely accepted as the golden standard requirement for general encryption schemes.

However, CCA security appears too strong in some conditions.

Accordingly, Canetti et al.

(CRYPTO 2003) proposed the notion of replayable CCA security (RCCA) for encryption schemes, which is a strictly weaker security notion than CCA security and naturally more efficient.

This new security notion has proved to be sufficient for most existing applications of CCA security, e.g., encrypted password authentication.

This is particularly promising for IoT environments, where security is demanding, yet resources are constrained.

In this paper, we examine the RCCA security of the well-known SKEM+DEM style hybrid signcryption scheme by Dent at ISC 2005.

Meanwhile, we also examine the RCCA security of the Tag-SKEM+DEM style hybrid signcryption scheme by Bjorstad and Dent at PKC 2006.

We rigorously prove that a hybrid signcryption scheme can achieve RCCA security if both its SKEM part and its DEM part satisfy some security assumptions.