Signcryption secure against linear related-key attacks
A related-key attack (RKA) occurs when an adversary tampers the private key stored in a cryptographic hardware device, and observes the result of the cryptographic primitive under this modified private key. In this paper, we consider the security of signcryption schemes under linear RKAs, where an adversary is allowed to tamper the private keys of the receiver and the sender, and subsequently observe the outcome of a signcryption system under these modified private keys of both parties. We define two security notions for RKA-secure signcryption schemes: chosen ciphertext RKA and chosen message RKA. We require that a signcryption scheme remains secure even when an adversary is allowed to access the designcryption oracle and the signcryption oracle on linear shifts of the private keys of the receiver and the sender, respectively. After reviewing some basic definitions related to our construction, we give a specific signcryption scheme from bilinear Diffie-Hellman which is secure against RKAs. Furthermore, we extend the security model of signcryption with anonymity, where the ciphertext is anonymous to others except the real receiver given the honest sender and the honest receiver. Fortunately, with a trivial modification to the original signcryption scheme, our proposed signcryption scheme can protect the privacy of both the sender and the receiver.